Submit #813997: Yash Pokharna StudentManagementSystem 1.0 SQL Injectioninfo

TitleYash Pokharna StudentManagementSystem 1.0 SQL Injection
DescriptionA SQL injection vulnerability exists in success.php that allows an attacker to bypass the login authentication. The script directly concatenates the unsanitized $_POST['user'] parameter into the SQL query. Although the password field is hashed with MD5, the lack of proper input handling (e.g., mysqli_real_escape_string or prepared statements) enables an attacker to inject SQL comments (#) to bypass the password verification and log in as any user, including the administrator.
Source⚠️ https://github.com/yashpokharna2555/StudentManagementSystem/issues/2
User
 frljiang123 (UID 96712)
Submission04/27/2026 10:38 (3 months ago)
Moderation05/24/2026 11:03 (27 days later)
StatusAccepted
VulDB entry365450 [yashpokharna2555 StudentManagementSystem cb2f558ddf8d19396de0f92abf2d224d46a0a203 /success.php User sql injection]
Points20

Are you interested in using VulDB?

Download the whitepaper to learn more about our service!