code-projects Pharmacy Management System add_new_purchase.php sql injection
Description
A vulnerability classified as critical has been found in code-projects Pharmacy Management System 1.0. Affected is an unknown function of the file /add_new_purchase.php?action=is_supplier. The manipulation of the argument name leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Critical SQL injection in Pharmacy Management System 1.0 via name parameter in add_new_purchase.php allows remote attackers to execute arbitrary SQL commands.
Vulnerability
A critical SQL injection vulnerability exists in the add_new_purchase.php script of Pharmacy Management System version 1.0. The name parameter passed via GET request to the endpoint /php/add_new_purchase.php?action=is_supplier is not properly sanitized, allowing an attacker to inject arbitrary SQL commands. This affects the supplier validation functionality and is classified as critical [2].
Exploitation
An attacker can exploit this vulnerability remotely without authentication by sending a crafted GET request to the vulnerable endpoint. The proof-of-concept demonstrates a time-based blind SQL injection using a SLEEP(5) payload in the name parameter, as shown in reference [2]. No special privileges or user interaction are required.
Impact
Successful exploitation allows the attacker to execute arbitrary SQL queries on the database, leading to potential disclosure of sensitive supplier information, manipulation of purchase records, or complete compromise of the database integrity. This can disrupt business operations and expose confidential data [2].
Mitigation
As of the publication date, no official patch is available for this vulnerability. The vendor has not released a fixed version. Mitigation efforts should focus on input validation and using parameterized queries to prevent SQL injection. Until a patch is provided, administrators should consider restricting access to the vulnerable endpoint or applying a Web Application Firewall (WAF) rule [2].
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Range: = 1.0
- Range: 1.0
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Improper sanitization of the `name` GET parameter in the supplier validation functionality allows SQL injection."
Attack vector
An attacker sends a crafted GET request to `/php/add_new_purchase.php?action=is_supplier` with a malicious `name` parameter containing SQL injection payloads [ref_id=1]. The request can be made remotely with no authentication required, and the PoC demonstrates a time-based blind injection using `SLEEP(5)` to confirm database manipulation [ref_id=1]. The `name` parameter is directly concatenated into a SQL query without sanitization, allowing arbitrary SQL commands to be executed [ref_id=1].
Affected code
The vulnerable endpoint is `/php/add_new_purchase.php?action=is_supplier` in the Pharmacy Management System version 1.0 [ref_id=1]. The `name` parameter passed via GET request is improperly sanitized before being used in a SQL query within the supplier validation functionality [ref_id=1].
What the fix does
No patch is available for this vulnerability [ref_id=1]. The advisory states the flaw remains unpatched and recommends immediate attention to prevent data leaks, unauthorized access, or operational disruptions [ref_id=1]. Remediation would require implementing proper input sanitization or parameterized queries for the `name` parameter in the supplier validation logic.
Preconditions
- networkThe attacker must be able to send HTTP GET requests to the vulnerable endpoint.
- inputThe `name` parameter is accepted without sanitization, requiring no special input validation bypass.
Reproduction
1. Send a GET request to `http://
Generated on May 26, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- gist.github.com/higordiego/26694ace59cbc1e1f8366bef96953569mitreexploit
- vuldb.commitrethird-party-advisory
- code-projects.orgmitreproduct
- vuldb.commitresignaturepermissions-required
- vuldb.commitrevdb-entrytechnical-description
News mentions
0No linked articles in our index yet.