SourceCodester Patients Waiting Area Queue Management System SQL Injection Vulnerability

A SQL injection vulnerability has been identified in SourceCodester Patients Waiting Area Queue Management System version 1.0. The issue arises in the 'getPatientAppointment' function within the file 'php/api_patient_checkin.php'. The vulnerability can be exploited remotely by manipulating the 'appointmentID' parameter, allowing attackers to interfere with SQL queries and potentially access or modify database information.

Impact

Exploitation of this vulnerability allows for SQL injection, where an attacker can manipulate database queries. This could lead to unauthorized data access, data modification, or in some cases, executing administrative operations on the database.

Reproduction

To reproduce this vulnerability, send a request to 'php/api_patient_checkin.php' with a crafted 'appointmentID' parameter that includes SQL injection payloads. The injection can be verified by using payloads that, for example, extract database version information.