Code-Projects Simple Flight Ticket Booking System SQL Injection Vulnerability

A SQL injection vulnerability exists in Code-Projects Simple Flight Ticket Booking System version 1.0, specifically within the '/register.php' file. This vulnerability allows attackers to inject malicious SQL queries through the 'username' and several other parameters. The application does not properly validate or sanitize user input before it is used in SQL commands, enabling unauthorized manipulation of the database. Exploitation of this vulnerability could lead to unauthorized data access, modification or deletion of database records, and potentially allow attackers to gain full control over the database.

Impact

Exploitation of this vulnerability allows for SQL injection, where attackers can manipulate database queries to their advantage. This could result in unauthorized data access, data modification or deletion, and in some cases, executing administrative operations on the database.

Reproduction

To reproduce this vulnerability, send a POST request to '/register.php' with crafted input that includes SQL injection payloads in the 'username' parameter. The lack of input validation will allow the injected SQL code to be executed, manipulating the database as intended by the attacker.

Remediation

It is recommended to use prepared statements and parameter binding to prevent SQL injection vulnerabilities. Additionally, implement input validation and filtering to ensure that user-supplied data does not contain malicious content that could be used to manipulate SQL queries.