krishna9772 Pharmacy Management System SQL Injection Vulnerability

A critical SQL injection vulnerability has been identified in the krishna9772 Pharmacy Management System, specifically in versions prior to commit a2efc8442931ec9308f3b4cf4778e5701153f4e5. The vulnerability arises in the file quantity_upd.php, where the parameters med_name, med_cat, and ex_date are not properly sanitized before being used in a database query. This oversight allows for remote exploitation of the vulnerability, potentially leading to unauthorized database access or manipulation.

Impact

Exploitation of this vulnerability allows for time-based blind SQL injection, where an attacker can execute arbitrary SQL commands and potentially manipulate the database or extract sensitive information.

Reproduction

To reproduce this vulnerability, send a request to the quantity_upd.php file with unsanitized input in the med_name, med_cat, or ex_date parameters. The lack of proper input validation will allow the injected SQL to be executed by the database, demonstrating the SQL injection flaw.