PHPGurukul Online Shopping Portal SQL Injection Vulnerability in Pending Orders Handler

A SQL injection vulnerability exists in the PHPGurukul Online Shopping Portal Project, specifically in version 2.1. The issue is located in the '/pending-orders.php' file within the Parameter Handler component. The vulnerability arises because the 'id' parameter can be manipulated to inject malicious SQL code. This unsanitized input is then executed in SQL queries, allowing attackers to access and manipulate the database remotely.

Impact

Exploitation of this vulnerability allows unauthorized database access, data manipulation or deletion, and leakage of sensitive information. It could also lead to complete system control and service disruption.

Reproduction

The vulnerability can be reproduced by sending a GET request to 'pending-orders.php' with a crafted 'id' parameter that includes SQL injection payloads. The injection can be time-based blind SQL injection, using payloads that exploit the database's response time to infer information.

Remediation

It is recommended to use prepared statements and parameter binding to prevent SQL injection. Additionally, input validation and filtering should be implemented to ensure that user input meets expected formats, blocking malicious data. Database user permissions should be minimized, ensuring that the account used for database connections has only the necessary privileges.