| Title | Fabian Ros Student Information System In PHP With Source Code November 2, 2025 SQL Injection |
|---|
| Description | A widespread SQL Injection vulnerability pattern exists in the Student Information System (version uploaded on November 2, 2025) which allows remote attackers to execute arbitrary SQL commands via multiple parameters.
The application fails to sanitize user input and does not use parameterized queries across several key endpoints. Specifically:
UNION-based SQLi exists in /searchresults.php via the searchbox parameter, allowing full database exfiltration.
Time-based Blind SQLi exists in /register.php via the username parameter.
Authentication Bypass and Blind SQLi exist in the login function in /index.php via the username and password parameters.
An attacker can leverage these flaws to bypass authentication, extract sensitive records from the database, or manipulate data, posing a critical risk to the confidentiality and integrity of the system. |
|---|
| Source | ⚠️ https://github.com/i4G5d/CRITICAL-SEVERITY-VULNERABILITY-REPORT-Widespread-SQLI |
|---|
| User | i4g5d (UID 92060) |
|---|
| Submission | 12/20/2025 17:17 (4 months ago) |
|---|
| Moderation | 12/23/2025 15:33 (3 days later) |
|---|
| Status | Accepted |
|---|
| VulDB entry | 337859 [code-projects Student Information System 1.0 /searchresults.php searchbox sql injection] |
|---|
| Points | 20 |
|---|