Code-Projects Student Information System SQL Injection Vulnerability

A SQL injection vulnerability has been identified in Code-Projects Student Information System version 1.0. The issue arises in the file '/searchresults.php', where improper input handling of the 'searchbox' parameter allows remote attackers to execute arbitrary SQL commands. This vulnerability is part of a broader pattern affecting multiple input points within the application, all stemming from inadequate input sanitization and the absence of parameterized queries.

Impact

Exploitation of this vulnerability allows for SQL injection, with the potential to bypass authentication, exfiltrate sensitive data from the database, or manipulate database records.

Reproduction

To reproduce this vulnerability, send a crafted SQL payload through the 'searchbox' parameter in the '/searchresults.php' file. The payload should exploit the application's failure to properly sanitize input, allowing for the execution of arbitrary SQL commands.

Remediation

The application should be updated to use parameterized queries and prepared statements to prevent SQL injection. Additionally, input validation should be strengthened to reject harmful SQL-specific characters.