Code-Projects Patient Record Management System SQL Injection Vulnerability in dental_form.php

A critical SQL injection vulnerability has been identified in Code-Projects Patient Record Management System version 1.0. The issue arises in the file dental_form.php, where the itr_no and dental_no parameters are manipulated, allowing for unrestricted SQL injection. This vulnerability can be exploited remotely, potentially leading to unauthorized access to sensitive information in the server database.

Impact

Exploitation of this vulnerability allows for unrestricted SQL injection, enabling attackers to manipulate database queries and access or modify sensitive information in the database.

Reproduction

To reproduce this vulnerability, send a GET request to dental_form.php with the itr_no parameter set to a value that will be concatenated into the SQL statement without restrictions. The SQL injection can be exploited by crafting a payload that manipulates the SQL query execution.