PHP Blind SQL injection on my web application

Question

im bulding a student management system using php and codeigniter. After running a webapp vulnerability scanner i got a critical error on 'stid' paremiter is vulnerable to blind sql injection. This paremiter is used when a student create account, so the sytem take this student id and pass it to the database to see if its alreday exist or not. To make sure it's not false alarm i also uses sqlmap and also it detect this blind sql injection and dump out my databases. Here below is the place where i belive there is a problem. I'll appreciate any suggetion to mitigate this problem. Thanks

function student_status(){
   $input = $this->input->post();
    $message = array();
    switch($input['content']) {
        case 'studentid':
            $user = new User();
            $user->where("registration_number_id",$input['stid'])->get();
            if($user->result_count()){
                $message['error'] = true;
                $message['message'] = 'User Already has an account';
            }else{
                $student = new StudentInfo();
                $student->where('registration_number',$input['stid'])->get();
                $this->commondata = $student->get_basic_info($input['stid']);

No, this is not the place where is a problem. the place is likely inside get_basic_info function. — Your Common Sense, Dec 13 '20 at 10:58
A generic suggestion is linked at the top of your question. For the specific codeigniter functions consult the manual. — Your Common Sense, Dec 13 '20 at 11:06

PHP Blind SQL injection on my web application

0 Answers0