| Title | Hospital-Management-System-Website web 1 SQL Injection |
|---|
| Description | This vulnerability is a SQL injection vulnerability existing in the user deletion interface of the Hospital Management System Website (source code address: https://github.com/nahiduddinahammed/Hospital-Management-System-Website). It is specifically located in line 38 of the file D:\phpstudy_pro\WWW\Hospital-Management-System-Website-master/delete.php.
The cause of the vulnerability is that the user input variable $ai is directly concatenated into the SQL DELETE statement without parameterization (original statement: DELETE FROM dashboard WHERE patient_id ='$ai'). Attackers can construct malicious inputs (e.g., ' OR '1'='1), which will change the final SQL statement to DELETE FROM dashboard WHERE patient_id ='' OR '1'='1', thereby deleting all user data in the dashboard table. |
|---|
| Source | ⚠️ https://github.com/mhszed/Report/blob/main/SQL%20Injection%20Vulnerability%20in%20the%20Hospital-Management-System-Website%20Editor.docx |
|---|
| User | mahushuai (UID 91047) |
|---|
| Submission | 09/27/2025 14:55 (7 months ago) |
|---|
| Moderation | 10/05/2025 08:10 (8 days later) |
|---|
| Status | Accepted |
|---|
| VulDB entry | 327200 [nahiduddinahammed Hospital-Management-System-Website up to e6562429e14b2f88bd2139cae16e87b965024097 /delete.php ai sql injection] |
|---|
| Points | 20 |
|---|