| Title | code-projects Online Examination System in PHP unknown sql |
|---|
| Description | Multiple scripts within the "Online Examination System in PHP" perform SQL queries by directly concatenating unsanitized user input into SQL statements (notably in `login.php`, `login_admin.php`, `add_user.php`, and `addmembers.php`). User-supplied fields such as `username`, `password`, and other form parameters are used verbatim in queries like `SELECT ... WHERE username='$username' AND password='$password'` and direct INSERT statements, allowing an attacker to inject SQL payloads.
Successful exploitation can result in authentication bypass, disclosure of sensitive data (including user passwords stored in plaintext), modification or deletion of database records, and full database compromise depending on the database privileges. The vulnerability is present in both authentication and data-entry routes (login forms and user/member creation endpoints). |
|---|
| User | imcoming (UID 95032) |
|---|
| Submission | 01/30/2026 11:09 (3 months ago) |
|---|
| Moderation | 02/07/2026 15:54 (8 days later) |
|---|
| Status | Accepted |
|---|
| VulDB entry | 344874 [code-projects Online Examination System 1.0 login.php username/password sql injection] |
|---|
| Points | 17 |
|---|