code-projects Pharmacy Management System manage_customer.php sql injection
Description
A vulnerability classified as critical has been found in code-projects Pharmacy Management System 1.0. This affects an unknown part of the file /php/manage_customer.php?action=search. The manipulation of the argument text leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Critical SQL injection in Pharmacy Management System 1.0 via the text parameter in manage_customer.php allows remote attackers to execute arbitrary SQL commands.
Vulnerability
A critical SQL injection vulnerability exists in code-projects Pharmacy Management System version 1.0. The flaw resides in the /php/manage_customer.php endpoint when the action=search parameter is used. The text GET parameter is not sanitized before being used in SQL queries, allowing an attacker to inject arbitrary SQL commands. The vulnerable endpoint is /php/manage_customer.php?action=search&text=a [2].
Exploitation
An attacker can exploit this vulnerability remotely without authentication. By sending a crafted GET request with a malicious text parameter, the attacker can inject SQL code. A proof-of-concept request demonstrates the use of a time-based blind SQL injection payload using SLEEP(5) to confirm the vulnerability [2]. The attack requires no special privileges or user interaction.
Impact
Successful exploitation allows an attacker to execute arbitrary SQL commands against the underlying database. This can lead to unauthorized access to sensitive data (e.g., patient records, credentials), modification or deletion of database contents, and potential disruption of system operations. The impact is severe, as the database may contain critical information [2].
Mitigation
As of the publication date, no patch is available for this vulnerability [2]. The vendor (code-projects) has not released a fix. Users of Pharmacy Management System 1.0 should consider implementing input validation and parameterized queries as a workaround, or discontinue use of the vulnerable endpoint until a patch is provided. The vulnerability is not listed in CISA's Known Exploited Vulnerabilities (KEV) catalog as of October 2024.
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Range: = 1.0
- Range: 1.0
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing input sanitization in the `text` parameter allows SQL injection."
Attack vector
An attacker sends a crafted GET request to `/php/manage_customer.php?action=search&text=` with malicious SQL payloads in the `text` parameter [ref_id=1]. The application does not sanitize or parameterize this input, allowing the attacker to inject arbitrary SQL commands. The attack is remotely exploitable over HTTP with no authentication required, as shown by the PoC request that uses a time-based blind SQL injection technique (`SLEEP(5)`) [ref_id=1].
Affected code
The vulnerable endpoint is `/php/manage_customer.php` with the `action=search` parameter. The `text` GET parameter is passed unsanitized into a SQL query, as demonstrated in the researcher's write-up [ref_id=1].
What the fix does
No patch is available for this vulnerability [ref_id=1]. The advisory notes the flaw remains unpatched and demands immediate attention [ref_id=1]. To remediate, the application must use parameterized queries (prepared statements) or properly escape the `text` input before including it in SQL statements.
Preconditions
- configThe target must be running Pharmacy Management System 1.0 with the manage_customer.php endpoint accessible
- authNo authentication is required; the attacker only needs network access to the web server
- networkThe attacker must be able to send HTTP GET requests to the vulnerable endpoint
- inputThe 'text' GET parameter is accepted without sanitization
Reproduction
Send the following GET request to the vulnerable server (replace `localhost:8080` with the target):
``` GET /php/manage_customer.php?action=search&text=a%25'%20AND%20(SELECT%209276%20FROM%20(SELECT(SLEEP(5)))rrau)%20AND%20'gdwz%25'%3d'gdwz HTTP/1.1 Host: localhost:8080 ```
If the application pauses for approximately 5 seconds before responding, the time-based blind SQL injection is confirmed [ref_id=1].
Generated on May 26, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- gist.github.com/higordiego/b57040961b993cb5f1bfe0005f6b57bemitreexploit
- vuldb.commitrethird-party-advisory
- code-projects.orgmitreproduct
- vuldb.commitresignaturepermissions-required
- vuldb.commitrevdb-entrytechnical-description
News mentions
0No linked articles in our index yet.