In /controller/api/login.php
It will receive a parameter called "telephone" to search for existed users.
But in fact,this parameter just become a part of the SQL request without any process,so it will be possible to have a SQL injection.
We can use SQLMAP to test this vulnerability:
The text was updated successfully, but these errors were encountered:
In /controller/api/login.php



It will receive a parameter called "telephone" to search for existed users.
But in fact,this parameter just become a part of the SQL request without any process,so it will be possible to have a SQL injection.
We can use SQLMAP to test this vulnerability:
The text was updated successfully, but these errors were encountered: