PHPGurukul Online Banquet Booking System SQL Injection Vulnerability

A critical SQL injection vulnerability has been identified in PHPGurukul Online Banquet Booking System version 1.0. The issue resides in the file '/admin/booking-search.php', where the 'searchdata' parameter is manipulated, allowing attackers to inject malicious SQL queries. This vulnerability can be exploited remotely, leading to unauthorized database access, data modification or deletion, and exposure of sensitive information.

Impact

Exploitation of this vulnerability allows for SQL injection, enabling attackers to interfere with the application's database queries. This could result in unauthorized data access, data manipulation, and in some cases, executing administrative operations on the database.

Reproduction

The vulnerability can be reproduced by sending a POST request to '/admin/booking-search.php' with the 'searchdata' parameter. The injected SQL payload can be crafted to exploit the application's database query handling. For example, a time-based blind SQL injection payload could be used, where the injection is confirmed by the application's response time.

Remediation

To address this vulnerability, it is recommended to implement prepared statements and parameter binding to separate SQL code from user input, ensuring that injected data is not executed as part of a SQL command. Additionally, input validation and filtering should be applied to the 'searchdata' parameter to restrict it to expected formats. Regular security audits can help identify and remediate such vulnerabilities proactively.