| Title | code-projects.org Hotel and Tourism Reservation In PHP 1.0 SQL Injection |
|---|
| Description | A vulnerability was found in Hotel and Tourism Reservation In PHP 1.0
on code-projects.org. The affected file is /ht/details.php of the
component Room Details Page. The manipulation of the GET parameter
'room' with a crafted payload leads to SQL Injection (Boolean-based
Blind and Time-based Blind).
Payload used:
room=-1' OR 3*2*1=6 AND 000867=000867 -- -
The application directly concatenates user input into backend SQL
queries without sanitization or parameterized queries. The attack
can be initiated remotely without user interaction. A proof-of-concept
has been disclosed publicly.
CVSS v3.1 Vector: AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Base Score: 6.5 (Medium)
Vendor was contacted on 2026-06-04 via email. No response received.
Advisory: https://medium.com/@avdzav10/sql-injection-in-hotel-and-tourism-reservation-system-php-ececa8981afe
Product: https://code-projects.org/hotel-and-tourism-reservation-in-php-with-source-code/ |
|---|
| Source | ⚠️ https://medium.com/@avdzav10/sql-injection-in-hotel-and-tourism-reservation-system-php-ececa8981afe |
|---|
| User | anubhav106 (UID 98769) |
|---|
| Submission | 06/05/2026 07:48 (29 days ago) |
|---|
| Moderation | 07/04/2026 14:54 (29 days later) |
|---|
| Status | Duplicate |
|---|
| VulDB entry | 368883 [code-projects Hotel and Tourism Reservation System 1.0 /details.php room sql injection] |
|---|
| Points | 0 |
|---|