SourceCodester Sales Tracker Management System GET Parameter manage_product.php sql injection

An attacker sends a crafted HTTP GET request to `/php-sts/admin/products/manage_product.php` with a malicious `id` parameter containing SQL injection payloads [ref_id=1]. The researcher demonstrated three payloads: a boolean-based test (`id=1' and 'a'='a`), a false-condition test (`id=1' and 'a'='z`), and a time-based blind test using `SLEEP(10)` [ref_id=1]. The attack is remotely exploitable over HTTP with no authentication required beyond a valid session cookie.

The vulnerability exists in the file `/php-sts/admin/products/manage_product.php` within the Sales Tracker Management System 1.0 [ref_id=1]. The GET parameter `id` is passed directly into a SQL query without sanitization or parameterization [ref_id=1].

No patch is provided in the bundle. The advisory does not include a fix commit or vendor remediation. To close this vulnerability, the application must use parameterized queries (prepared statements) or properly escape the `id` input before including it in a SQL statement. Input validation to ensure `id` is an integer would also prevent injection.

1. Send a GET request to `/php-sts/admin/products/manage_product.php?id=1'%20and%20'a'='a` — the page returns normally, confirming SQL injection [ref_id=1]. 2. Send a GET request to `/php-sts/admin/products/manage_product.php?id=1'%20and%20'a'='z` — the page does not render normally, confirming the false condition alters query execution [ref_id=1]. 3. Send a GET request to `/php-sts/admin/products/manage_product.php?id=1'%20and%20(select%201%20from%20(select(sleep(10)))x)%20and%20'q'='q` — the server response is delayed by approximately 10 seconds, confirming time-based blind SQL injection [ref_id=1].