Code-Projects Simple Food Order System SQL Injection Vulnerability

A SQL injection vulnerability has been identified in Code-Projects Simple Food Order System version 1.0. The issue resides in the 'register-router.php' file, specifically within the Parameter Handler component. The vulnerability arises from inadequate validation of the 'name' parameter, allowing attackers to inject malicious SQL queries. This exploitation can be performed remotely, without any authentication.

Impact

Exploitation of this vulnerability allows unauthorized database access, manipulation of data, leakage of sensitive information, and potential disruption of services.

Reproduction

To reproduce this vulnerability, send a POST request to 'register-router.php' with the 'name' parameter crafted to include a SQL injection payload. The injection can be verified by observing the application's response or by using a tool like sqlmap to automate the exploitation process.

Remediation

It is recommended to use prepared statements and parameter binding to prevent SQL injection, validate and filter user input, minimize database user permissions, and conduct regular security audits.