Code-Projects Patient Record Management System SQL Injection Vulnerability in Xray Print.php

A critical SQL injection vulnerability has been identified in the Code-Projects Patient Record Management System version 1.0. The issue resides in the file 'xray_print.php', where the 'itr_no' parameter is manipulated, allowing for remote exploitation. This vulnerability enables attackers to execute arbitrary SQL commands, potentially leading to unauthorized access or modification of database information.

Impact

Exploitation of this vulnerability allows for arbitrary SQL command execution, which could be used to manipulate the database, extract sensitive information, or potentially escalate privileges within the application.

Reproduction

To reproduce this vulnerability, send a request to 'xray_print.php' with a crafted 'itr_no' parameter that includes SQL injection payloads. The lack of proper input sanitization will allow the injected SQL code to be executed by the database, demonstrating the vulnerability.