SourceCodester Food Ordering System SQL Injection Vulnerability in Parameter Handler Component

A critical SQL injection vulnerability has been identified in SourceCodester Food Ordering System version 1.0. The issue resides in the Parameter Handler component, specifically within an unknown function of the file purchase.php. The vulnerability is triggered by manipulating the 'custom' parameter, allowing remote attackers to inject malicious SQL queries. This exploitation could lead to unauthorized database access, data modification or deletion, and exposure of sensitive information.

Impact

Exploitation of this vulnerability allows for SQL injection, enabling attackers to interfere with the application's database queries. This could result in unauthorized data access, data manipulation, or execution of administrative operations on the database.

Reproduction

The vulnerability can be reproduced by sending a request to the purchase.php file with a crafted 'custom' parameter that includes malicious SQL payloads. This can be done manually or using automated tools that exploit SQL injection vulnerabilities. The absence of input validation for the 'custom' parameter allows these SQL injection attacks to succeed.