| Title | sourcecodester Pizzafy Ordering System V1.0 SQL Injection |
|---|
| Description | During the security review of "Pizzafy Ordering System", a critical SQL injection vulnerability was identified in the /admin/view_order.php file. The vulnerability exists due to the application directly using user-controlled input from the id GET parameter in SQL queries without any sanitization, validation, or parameterized processing.
This flaw is exploitable via multiple SQL injection vectors including boolean-based blind, error-based, time-based blind, and UNION query injection. Unauthenticated remote attackers can inject malicious SQL payloads to manipulate database queries, access and extract all data from the backend database, and perform unauthorized database operations. |
|---|
| Source | ⚠️ https://github.com/nidieaaa/test/issues/7 |
|---|
| User | baiqiuran (UID 97198) |
|---|
| Submission | 04/14/2026 13:09 (3 months ago) |
|---|
| Moderation | 04/30/2026 20:54 (16 days later) |
|---|
| Status | Duplicate |
|---|
| VulDB entry | 360119 [SourceCodester Pizzafy Ecommerce System 1.0 GET Parameter /admin/view_order.php ID sql injection] |
|---|
| Points | 0 |
|---|