SQLi vulnerabilities.

[chluo1997]

We found several SQLi vulnerabilities in stock-management-system.

Details:
The user input $data is used to construct the SQL queries in file routes/ApiRoutes.php. The application code validates the user input $data with a few validation functions (e.g., security()) in file helpers/ValidateParams.php. The validation functions also invoke a few sanitizers such as htmlspecialchars(). However, these sanitizations and validations are not efficient to prevent SQLi attacks because they still allow sensitive characters ("\") to be injected into SQL statements. Therefore, the SQL statements are unsafe and the attackers can exploit several SQLi vulnerabilities to compromise this application.

Patches:
We suggest adding mysqli_escape_string() sanitizers inside the validation functions to fix the vulnerabilities.