Submit #71814: Online Flight Booking Management System review_search.php has SQLinject.info

TitleOnline Flight Booking Management System review_search.php has SQLinject.
Descriptionline: 9: $txtsearch=$_POST['txtsearch']; line: 172-186: The POST parameter txtsearch is received and assigned to $txtsearch <?php $event_query = $conn->query("select * from sub_event where event_name like '%$txtsearch%'") or die(mysql_error()); $menum_row = $event_query->rowcount(); if( $menum_row > 0){ ?> <h3>Sub Events</h3> <?php while ($event_row = $event_query->fetch()) { $search_mainevent_id=$event_row['mainevent_id']; $search_subevent_id=$event_row['subevent_id']; ?> Because the string entered by the user is not filtered and the sql statements are spliced, the sql injection vulnerability is generated. It can cause serious harm to the system.
Source⚠️ https://github.com/qyhmsys/cve-list/blob/master/Online%20Flight%20Booking%20Management%20System%20review_search.md
User
 wei.zhang (UID 38856)
Submission01/13/2023 07:47 (3 years ago)
Moderation01/13/2023 10:20 (3 hours later)
StatusAccepted
VulDB entry218277 [SourceCodester Online Flight Booking Management System POST Parameter review_search.php txtsearch sql injection]
Points20

PreviousOverviewNext

Might our Artificial Intelligence support you?

Check our Alexa App!