| tiêu đề | Online Flight Booking Management System add_contestant.php has SQLinject |
|---|
| Mô tả | Online Flight Booking Management System add_contestant.php has SQLinject
Download the source code from
https://www.sourcecodester.com/php/15865/online-flight-booking-management-system-using-php-and-mysql-free-source-code.html
line: 152 - 162
if(isset($_POST['add_contestant']))
{
$se_name=$_POST['se_name'];
$sub_event_id=$_POST['sub_event_id'];
$contestant_ctr=$_POST['contestant_ctr'];
$fullname=$_POST['fullname'];
/* contestants */
$conn->query("insert into contestants(fullname,subevent_id,contestant_ctr)values('$fullname','$sub_event_id','$contestant_ctr')");
Because the string entered by the user is not filtered and the sql statements are spliced, the sql injection vulnerability is generated. It can cause serious harm to the system.
Maybe because the program does not turn on error display, the joint query cannot be used here, but the sql injection attack can be carried out through the time blind injection method |
|---|
| Nguồn | ⚠️ https://github.com/f4cky0u/Security-vulnerabilities/blob/main/Online%20Flight%20Booking%20Management%20System%20add_contestant.php%20has%20SQLinject.md |
|---|
| Người dùng | Evilmu1 (UID 38763) |
|---|
| Đệ trình | 12/01/2023 09:56 (cách đây 3 những năm) |
|---|
| Kiểm duyệt | 12/01/2023 15:52 (6 hours later) |
|---|
| Trạng thái | được chấp nhận |
|---|
| Mục VulDB | 218153 [SourceCodester Online Flight Booking Management System add_contestant.php add_contestant Tiêm SQL] |
|---|
| điểm | 20 |
|---|