Submit #626791: code-projects Human Resource Integrated System published August 1, 2025 SQL Injectioninfo

Titlecode-projects Human Resource Integrated System published August 1, 2025 SQL Injection
DescriptionSummary The vulnerability exists in the insert-and-view component due to improper handling and validation of user input in SQL queries. Root Cause The application uses outdated mysql_* functions (mysql_query) in action.php without fully sanitizing or parameterizing user input. Specifically, the inputs obtained via $_POST['content'] are directly embedded into SQL queries. Example code snippet: $content = mysql_real_escape_string($_POST['content']); mysql_query("insert into comment(msg,ip_add) values ('$content','$ip')"); Although mysql_real_escape_string mitigates basic SQL injection, it does not prevent more complex injection scenarios or second-order SQL injection attacks. Reproduction Navigate to the application's comment submission form. Submit the following payload: '); DROP TABLE comment; -- Observe that the injected SQL query alters the intended database operations. Impact An attacker could leverage this vulnerability to manipulate the database, execute arbitrary SQL commands, access sensitive data, or disrupt database integrity.
Source⚠️ https://github.com/shenxianyuguitian/hris-vuln-sqli/blob/main/README.md
User
 xuanyuesanshi (UID 88126)
Submission08/01/2025 08:08 (9 months ago)
Moderation08/02/2025 08:54 (1 day later)
StatusAccepted
VulDB entry318599 [code-projects Human Resource Integrated System 1.0 action.php content sql injection]
Points20

PreviousOverviewNext