Code-Projects Simple Gym Management System SQL Injection Vulnerability

A SQL injection vulnerability has been identified in Code-Projects Simple Gym Management System version 1.0. The issue arises in the Payment Handler component, where user-supplied data for Payment_id, Amount, customer_id, payment_type, and customer_name is directly concatenated into an SQL INSERT statement without proper validation or sanitization. This flaw allows remote attackers to manipulate payment information, potentially leading to financial loss by altering payment amounts, forging records, or accessing sensitive payment data.

Impact

Exploitation of this vulnerability allows for SQL injection, where an attacker can interfere with the application's database queries. This could lead to unauthorized data access, data manipulation, or in some cases, executing administrative operations on the database.

Reproduction

To reproduce this vulnerability, send a request to the payment handling function with crafted values for the Payment_id, Amount, customer_id, payment_type, and customer_name fields. The injected SQL payload should exploit the lack of input validation by manipulating the SQL query execution.

Remediation

It is recommended to use prepared statements with parameterized queries to prevent SQL injection. Additionally, implement strict validation and escaping of user inputs before processing them in SQL queries.