| Название | code-projects Employee Profile Management System published November 15, 2025 SQL Injection |
|---|
| Описание | Summary
The vulnerability exists in multiple personnel-related components due to improper handling of user input. Several endpoints directly concatenate user-controlled parameters (per_id, dept_id, term, etc.) into SQL statements, allowing attackers to inject arbitrary SQL queries.
Root Cause
The application builds SQL strings using unsanitized variables (e.g., $_GET['per_id'], $_GET['term']) before calling PDO::prepare().
Because the SQL already contains attacker-controlled fragments before preparation, no parameter binding occurs, resulting in full SQL injection.
Example vulnerable pattern found in files such as view_personnel.php, edit_personnel.php, print_personnel_report.php, and delete_department.php:
$sql = "SELECT * FROM personnel WHERE per_id = ".$_GET['per_id'];
$stmt = $pdo->prepare($sql);
$stmt->execute();
Reproduction
1. Navigate to a vulnerable page
For example:
http://localhost/employee_profile/view_personnel.php?per_id=1
2. Inject SQL payload into the per_id parameter
Modify request to:
http://localhost/employee_profile/view_personnel.php?per_id=1' OR '1'='1--
3. Observe returned data
The page will display multiple personnel records instead of a single record.
(Optional destructive test — local environment only)
http://localhost/employee_profile/delete_department.php?dept_id=0 OR 1=1--
This causes a mass-delete operation.
Impact
This vulnerability allows attackers to:
Bypass access control by retrieving all personnel data
Read sensitive HR records across departments
Modify or delete arbitrary database entries
Potentially chain into full system compromise if SQL functions or file writes are permitted
Because the vulnerability exists in both view and delete operations, the impact ranges from information disclosure to complete data loss. |
|---|
| Источник | ⚠️ https://github.com/shenxianyuguitian/employee-management-SQL |
|---|
| Пользователь | xuanyuesanshi (UID 88126) |
|---|
| Представление | 21.11.2025 08:22 (5 месяцы назад) |
|---|
| Модерация | 06.12.2025 18:19 (15 days later) |
|---|
| Статус | принято |
|---|
| Запись VulDB | 334613 [code-projects Employee Profile Management System 1.0 /view_personnel.php per_id SQL-инъекция] |
|---|
| Баллы | 20 |
|---|