Campcodes Online Food Ordering System SQL Injection Vulnerability

A critical SQL injection vulnerability has been identified in Campcodes Online Food Ordering System version 1.0. The issue resides in the '/routers/register-router.php' file, where user input from the 'name' parameter is improperly validated, allowing attackers to inject malicious SQL queries. This vulnerability can be exploited remotely, potentially leading to unauthorized database access, data manipulation, and leakage of sensitive information.

Impact

Exploitation of this vulnerability allows for SQL injection, enabling attackers to interfere with the application's database queries. This could result in unauthorized data access, data modification or deletion, and in some cases, executing administrative operations on the database.

Reproduction

The vulnerability can be reproduced by sending a POST request to 'register-router.php' with the 'name' parameter crafted to include malicious SQL payloads. This input is then processed by the application without proper sanitization, allowing the injected SQL to be executed by the database.

Remediation

To address this vulnerability, developers should implement prepared statements and parameter binding to separate SQL code from user input, ensuring that injected data is not executed as part of a SQL command. Additionally, input validation and filtering should be applied to confirm that user data meets expected formats before processing.