PHPGurukul Pre-School Enrollment System SQL Injection Vulnerability in Enrollment.php

A critical SQL injection vulnerability has been identified in version 1.0 of the PHPGurukul Pre-School Enrollment System. The issue resides in the enrollment.php file, where the fathername parameter is vulnerable to injection attacks. This vulnerability allows attackers to manipulate SQL queries by injecting malicious payloads, potentially leading to unauthorized database access and data manipulation. The vulnerability can be exploited remotely without any authentication.

Impact

Exploitation of this vulnerability allows attackers to inject malicious SQL queries, bypassing authentication and potentially leading to unauthorized access and manipulation of database information. This could include altering or deleting data, or in some cases, executing administrative operations on the database.

Reproduction

The vulnerability can be reproduced by sending a POST request to the enrollment.php file with a crafted payload that includes a SQL injection in the fathername parameter. This payload can be designed to exploit the application's SQL query handling, such as by using SQL injection techniques that manipulate query logic or timing.

Remediation

It is recommended to implement prepared statements and parameterized queries to prevent SQL injection vulnerabilities. Additionally, input validation and sanitization should be applied to all user-supplied data before it is used in SQL queries.