Code-Projects Human Resource Integrated System SQL Injection Vulnerability

A SQL injection vulnerability has been identified in Code-Projects Human Resource Integrated System version 1.0. The issue resides in the log_query.php file, where the id parameter is vulnerable due to inadequate input validation and the lack of parameterized queries. This vulnerability allows remote attackers to inject malicious SQL statements, potentially leading to unauthorized access, data extraction, or modification of sensitive information.

Impact

Exploitation of this vulnerability allows for SQL injection, enabling attackers to manipulate database queries. This could result in unauthorized access to data, extraction of sensitive information, or modification of database records.

Reproduction

To reproduce this vulnerability, send a POST request to log_query.php with an injected SQL payload in the id parameter. The injected SQL can be crafted to, for example, union select database information, such as the database name.