Hospital Management System SQL Injection Vulnerability

A SQL injection vulnerability has been identified in Hospital Management System version 4. The issue arises in the 'appsearch.php' file, where the 'app_contact' parameter is not properly sanitized before being used in SQL queries. This flaw allows remote attackers to manipulate the database, potentially executing arbitrary code or disclosing sensitive information.

Impact

Exploitation of this vulnerability allows for SQL injection, which could lead to unauthorized database access, execution of arbitrary SQL commands, and in some cases, execution of arbitrary code or disclosure of sensitive information, depending on the application's database interaction and environment.

Reproduction

To reproduce this vulnerability, send a crafted request to 'appsearch.php' including the 'app_contact' parameter. The lack of proper input sanitization will allow the injection of malicious SQL code, which can be executed by the database.