| Title | CodeAstro Human Resource Management System in PHP CodeIgniter v1.0 SQL Injection |
|---|
| Description | A SQL Injection vulnerability has been identified in the Payroll Invoice module of a CodeIgniter-based Human Resource Management System ( https://codeastro.com/human-resource-management-system-in-php-codeigniter-with-source-code/ ) . The vulnerability exists in the Invoice() function within the Payroll.php controller, where the application retrieves the `Id` parameter from a HTTP GET request using the CodeIgniter input handler and passes it directly to the model layer without proper validation or sanitization.
The user-supplied Id value is forwarded to the getAllSalaryDataById() function in the Payroll model, where it is used in a dynamically constructed SQL query. Due to the absence of prepared statements or query parameterization, the input is directly concatenated into the SQL statement, resulting in unsafe query execution.
An attacker can manipulate the Id parameter to inject arbitrary SQL syntax, which alters the intended query structure. This leads to successful exploitation of multiple SQL injection techniques including error-based, boolean-based blind, UNION-based, and time-based blind SQL injection.
Successful exploitation allows an attacker to interfere with database queries executed by the application. This results in unauthorized access to payroll and employee-related data stored within the system. The issue affects the integrity and confidentiality of backend database operations.
The vulnerability is caused by improper input handling in the controller layer combined with unsafe SQL query construction in the model layer. The lack of input validation and absence of parameterized queries are the primary contributing factors.
|
|---|
| Source | ⚠️ https://github.com/ashikmd0507/CVE/tree/main/SQL-Injection-via-Payroll-Invoice-Module |
|---|
| User | ashikmd7 (UID 98284) |
|---|
| Submission | 05/26/2026 14:58 (18 days ago) |
|---|
| Moderation | 06/12/2026 17:21 (17 days later) |
|---|
| Status | Accepted |
|---|
| VulDB entry | 370616 [CodeAstro Human Resource Management System 1.0 Payroll Invoice Payroll.php ID sql injection] |
|---|
| Points | 20 |
|---|