PHPGurukul Beauty Parlour Management System SQL Injection Vulnerability in Appointment Search Admin Page

A SQL injection vulnerability has been identified in PHPGurukul Beauty Parlour Management System version 1.1. The issue arises in the admin search-appointment.php file, where the searchdata parameter is manipulated, allowing attackers to inject malicious SQL queries. This vulnerability can be exploited remotely, without any authentication, potentially leading to unauthorized access and manipulation of the database.

Impact

Exploitation of this vulnerability allows attackers to inject malicious SQL queries, bypassing authentication and authorization. This could lead to unauthorized data access, modification or deletion of database records, and in some cases, executing administrative operations on the database.

Reproduction

The vulnerability can be reproduced by sending a POST request to the admin/search-appointment.php page with a crafted searchdata parameter. The injected SQL payload can exploit the application's database query handling, demonstrating the SQL injection flaw.

Remediation

It is recommended to implement prepared statements and parameterized queries to prevent SQL injection. Additionally, input validation and sanitization should be enforced to ensure that user inputs do not contain malicious SQL code. Regularly updating the application and conducting security audits can also help identify and mitigate such vulnerabilities.