Hospital Management System SQL Injection Vulnerability in Contact Module

Multiple SQL injection vulnerabilities have been identified in Hospital Management System version 4. These vulnerabilities reside in the 'contact.php' file, specifically within the 'txtname', 'txtphone', and 'txtmail' parameters. The lack of proper input sanitization allows remote attackers to manipulate SQL queries, potentially leading to unauthorized database access, execution of arbitrary code, or disclosure of sensitive information.

Impact

Exploitation of these vulnerabilities allows for SQL injection, which could be used to manipulate the database, execute arbitrary code, or disclose sensitive information.

Reproduction

To reproduce this vulnerability, send a request to 'contact.php' with crafted SQL payloads in the 'txtname', 'txtphone', or 'txtmail' parameters. The injected SQL code can exploit the application's database query handling, potentially leading to unauthorized data access or manipulation.