Flashcard Quiz App v1.0 - 'card' SQL Injection

Flashcard Quiz App v1.0 – SQL Injection Vulnerability in 'card' Parameter

Security flaws in web applications often stem from inadequate input validation and improper handling of user data. One such vulnerability was recently discovered in the Flashcard Quiz App v1.0, a PHP-based educational tool hosted on SourceCodester. The application allows users to manage flashcards via a simple interface, but its underlying code contains a critical SQL injection flaw in the delete-flashcard.php endpoint.

Exploitation Overview

Attackers can exploit this vulnerability by manipulating the card parameter in the URL. The application retrieves the value directly from the $_GET superglobal without sanitization, then inserts it into a SQL query without proper escaping or parameterization. This opens the door for malicious SQL code injection.

$card = $_GET['card'];
$query = "DELETE FROM tbl_card WHERE tbl_card_id = '$card'";

This code snippet is the core of the vulnerability. The $card variable is directly embedded into a SQL string using single quotes, making it susceptible to injection. An attacker can supply crafted input to alter the query’s logic or execute arbitrary commands.

Proof of Concept (PoC) Payload

Consider the following malicious payload:

' OR '1'='1'; SELECT IF(VERSION() LIKE '8.0.31%', SLEEP(5), 0); --

When injected into the card parameter, the resulting query becomes:

DELETE FROM tbl_card WHERE tbl_card_id = '' OR '1'='1'; SELECT IF(VERSION() LIKE '8.0.31%', SLEEP(5), 0); --

This query is malformed and potentially dangerous. The OR '1'='1' condition always evaluates to true, effectively bypassing the intended ID check. The SELECT IF(VERSION() LIKE '8.0.31%', SLEEP(5), 0) part is a time-based blind SQL injection technique. If the MySQL server version matches the expected string (e.g., 8.0.31), the SLEEP(5) function delays the response by 5 seconds, which can be used to confirm successful injection.

As demonstrated in the proof-of-concept screenshot, the server response delay confirmed the presence of the vulnerability.

Why This Is a Critical Risk

SQL injection attacks can lead to:

• Data Theft: Unauthorized access to sensitive data stored in the database.
• Data Manipulation: Deletion, modification, or insertion of records without authorization.
• Privilege Escalation: Exploiting the database to gain administrative access.
• Remote Code Execution: In rare cases, if the database supports stored procedures or external execution, attackers may execute OS-level commands.

In the case of Flashcard Quiz App, the DELETE operation is particularly dangerous. An attacker could delete all flashcards, erase user data, or even manipulate the database schema by injecting more complex payloads.

Real-World Impact

While this app is intended for educational use, its exposure on a public code-sharing platform like SourceCodester increases the risk of exploitation by malicious actors. Developers and administrators who deploy this code without security review are at risk of:

• Loss of data integrity.
• Compromised user privacy.
• Server-side vulnerabilities that could be leveraged in broader attacks.

Even if the app is deployed on a local environment like WAMP server, the lack of input validation creates a pathway for internal threats, such as unauthorized users or script kiddies.

Secure Coding Practices & Fixes

Proper mitigation involves using prepared statements or parameterized queries instead of string concatenation. Here’s the corrected version of the vulnerable code:

$card = $_GET['card'];

// Validate input
if (!is_numeric($card) || $card prepare("DELETE FROM tbl_card WHERE tbl_card_id = ?");
$stmt->execute([$card]);

Key improvements:

• Input validation: Ensures the card parameter is numeric and positive.
• Prepared statements: Prevents SQL injection by separating code from data.
• Database abstraction: Uses PDO instead of raw MySQL functions, reducing error-prone code.

Additionally, developers should:

• Implement logging for suspicious requests.
• Use role-based access control (RBAC) to limit delete operations.
• Regularly audit code for common vulnerabilities using tools like OWASP ZAP or SQLMap.

Conclusion

The Flashcard Quiz App v1.0 serves as a cautionary example of how simple coding practices can lead to severe security flaws. The absence of input sanitization and reliance on string concatenation in SQL queries exposes the application to SQL injection attacks. This vulnerability, though seemingly minor, can result in catastrophic data loss or unauthorized access.

For developers, this case underscores the importance of:

• Always validating user input.
• Using secure database interaction methods.
• Conducting regular security audits.

Security is not an afterthought—it must be integrated into every phase of development. The Flashcard Quiz App’s flaw reminds us that even open-source educational tools can pose significant risks if deployed without proper safeguards.