Gửi #749233: code-projects Online Student Management System in PHP unknown SQL Injectionthông tin

tiêu đềcode-projects Online Student Management System in PHP unknown SQL Injection
Mô tảMultiple SQL injection vulnerabilities are present in the "Online Student Management System in PHP" (code-projects). Several server-side scripts construct SQL statements by directly concatenating user-controlled input (such as usernames, passwords and resource IDs) into query strings without using prepared statements or proper input validation. An attacker can exploit these injection points to bypass authentication, enumerate and exfiltrate sensitive database records, modify or delete data, and potentially achieve full database compromise or account takeover. Proof-of-Concept / Reproduction steps: Send typical SQLi payloads to authentication or ID-based parameters (examples): In a login form: username = ' OR '1'='1 and any password → may bypass authentication. In ID/parameter endpoints: append ' OR '1'='1' -- or use ' UNION SELECT ... to extract data. Observe successful login, additional returned rows, or error messages that reveal database structure. Use boolean-based, error-based or time-based techniques to extract schema and sensitive fields. Evidence (code excerpts): accounts.phpLines 24-27 $mydb->setQuery("SELECT * FROM `useraccounts` WHERE `ACCOUNT_USERNAME` = '". $U_USERNAME ."' and `ACCOUNT_PASSWORD` = '". $h_pass ."'"); students.phpLines 41-44 $mydb->setQuery("SELECT * FROM `tblstudent` WHERE `ACC_USERNAME` = '". $U_USERNAME ."' AND `ACC_PASSWORD` = '". $h_pass ."'"); Impact: Authentication bypass Data disclosure (sensitive user and system data) Data modification/deletion Potential full database access depending on privileges
Người dùng
 imcoming (UID 95032)
Đệ trình30/01/2026 10:45 (cách đây 3 các tháng)
Kiểm duyệt07/02/2026 15:47 (8 days later)
Trạng tháiđược chấp nhận
Mục VulDB344872 [code-projects Online Student Management System 1.0 Login accounts.php username/password Tiêm SQL]
điểm17

Do you know our Splunk app?

Download it now for free!