Key Information Affected Product Product Name: Online Hospital Management System Version: V1.0 Vendor Homepage: https://www.campcodes.com/projects/online-hospital-management-system-using-php-and-mysql/ Vulnerable File and Version Vulnerable File: /hms/admin/view-patient.php Affected Version: V1.0 Vulnerability Type Type: SQL Injection Root Cause In the file , attackers can inject malicious code via the parameter, which is directly used in SQL queries without proper sanitization or validation. This allows attackers to forge input values, manipulate SQL queries, and perform unauthorized operations. Impact Attackers can exploit this SQL injection vulnerability to gain unauthorized database access, leak sensitive data, tamper with data, compromise system control, and even cause service disruption, posing a serious threat to system security and business continuity. Description During a secondary review of the "Online Hospital Management System", a critical SQL injection vulnerability was discovered in line 16 of . The vulnerability stems from insufficient validation of the user-supplied parameter, allowing attackers to inject malicious SQL queries. As a result, attackers can gain unauthorized database access, modify database tables, and access sensitive information. Immediate mitigation measures are required to ensure system security and protect data integrity. Vulnerability Details and POC Exploitable without login or authorization Vulnerability Identifier: viewid parameter Payload Example: Recommended Remediation 1. Use prepared statements with parameter binding. 2. Implement input validation and filtering. 3. Minimize database user privileges. 4. Conduct regular security audits.