Code-Projects Online Product Reservation System SQL Injection Vulnerability in User Registration Component

A critical SQL injection vulnerability has been identified in Code-Projects Online Product Reservation System version 1.0. The issue resides in the user registration handler, specifically within the file '/handgunner-administrator/register_code.php'. The vulnerability arises because the application improperly sanitizes multiple POST parameters before incorporating them into an SQL INSERT query. This flaw enables attackers to manipulate user registration data and potentially extract information from the database. The vulnerability can be exploited remotely without any authentication requirements.

Impact

Exploitation of this vulnerability allows for SQL injection, where an attacker can interfere with the application's database queries. This could lead to unauthorized data access, data manipulation, or in some cases, executing administrative operations on the database.

Reproduction

To reproduce this vulnerability, send a POST request to 'register_code.php' with crafted data that includes SQL injection payloads in the 'fname', 'lname', 'address', 'city', 'province', 'country', 'zip', 'tel_no', 'email', 'username' fields. The application will process the input without proper validation, allowing the injection of malicious SQL code.