CVE-2021-47956 Overview
CVE-2021-47956 is an SQL injection vulnerability [CWE-89] in EgavilanMedia PHPCRUD 1.0. The flaw resides in the insert.php endpoint, which fails to sanitize the firstname parameter before incorporating it into a database query. Unauthenticated attackers can send crafted POST requests containing SQL payloads to manipulate the underlying query logic. Successful exploitation allows extraction of sensitive information from the backing MySQL database. The application is a public CRUD (Create, Read, Update, Delete) tutorial project distributed by EgavilanMedia, and no authentication is required to reach the vulnerable endpoint.
Critical Impact
Remote, unauthenticated attackers can exfiltrate database contents by injecting SQL through the firstname POST parameter of insert.php.
Affected Products
- EgavilanMedia PHPCRUD 1.0
- Deployments based on the EgavilanMedia CRUD with PHP, MySQL, Bootstrap, and Dompdf guide
- Any forks reusing the unsanitized insert.php handler
Discovery Timeline
- 2026-05-16 - CVE-2021-47956 published to NVD
- 2026-05-18 - Last updated in NVD database
Technical Details for CVE-2021-47956
Vulnerability Analysis
The vulnerability is a classic SQL injection [CWE-89] in the data insertion routine of PHPCRUD 1.0. The insert.php script receives user-supplied POST values and concatenates them directly into a MySQL INSERT statement. Because the firstname parameter is neither escaped nor bound through prepared statements, attacker-controlled syntax becomes part of the executed query. An attacker can break out of the intended string context and append additional SQL clauses to read data from arbitrary tables.
The affected operation is reachable over the network without credentials or user interaction. The impact concentrates on confidentiality of database contents, including any records stored by the CRUD application or accessible to its MySQL user.
Root Cause
The root cause is direct string concatenation of HTTP request parameters into SQL statements. PHPCRUD 1.0 does not use mysqli prepared statements or PDO parameter binding, and it does not call sanitization functions such as mysqli_real_escape_string before query execution. The firstname field is treated as trusted input.
Attack Vector
An attacker sends a POST request to insert.php with a payload in the firstname field. Typical exploitation uses a UNION SELECT clause to append columns from sensitive tables, or boolean and time-based techniques to enumerate the schema. Because the endpoint is unauthenticated, the attack can be launched directly from the public network. Reference exploitation details are available in the Exploit-DB #49878 entry and the VulnCheck advisory for EgavilanMedia.
The vulnerability manifests in the unsanitized handling of the firstname POST parameter inside the SQL insert routine. See the linked advisories for full proof-of-concept payloads.
Detection Methods for CVE-2021-47956
Indicators of Compromise
- POST requests to /insert.php containing SQL meta-characters such as ', --, UNION, SELECT, or SLEEP( in the firstname field.
- Web server logs showing abnormally long firstname values or repeated submissions from the same source within seconds.
- MySQL error log entries referencing syntax errors originating from the PHPCRUD insert query.
- Outbound queries from the web host to attacker-controlled hosts following suspicious POST traffic.
Detection Strategies
- Deploy web application firewall signatures that flag SQL keywords and tautologies in POST bodies sent to insert.php.
- Enable MySQL general query logging on test environments to identify malformed INSERT statements driven by external input.
- Correlate HTTP 500 responses from insert.php with the originating client IP to surface probing activity.
Monitoring Recommendations
- Monitor authentication-free PHP endpoints exposed to the internet for anomalous request rates and payload sizes.
- Alert on database user activity that performs SELECT operations against system tables such as information_schema.tables from the web application account.
- Capture and retain raw HTTP request bodies for forensic review of suspected injection attempts.
How to Mitigate CVE-2021-47956
Immediate Actions Required
- Remove or isolate any internet-facing deployment of EgavilanMedia PHPCRUD 1.0 until the code is remediated.
- Replace string-concatenated SQL in insert.php with parameterized queries using mysqli prepared statements or PDO binding.
- Restrict the database user assigned to the application to least-privilege rights on the specific CRUD table only.
Patch Information
No vendor patch has been published for EgavilanMedia PHPCRUD 1.0. The project is distributed as a tutorial codebase referenced on the EgavilanMedia CRUD guide. Operators must apply source-level fixes manually or migrate to a maintained framework. Refer to the VulnCheck advisory for EgavilanMedia for tracking status.
Workarounds
- Place a web application firewall in front of the application with SQL injection rules enabled for the firstname parameter.
- Enforce server-side input validation that rejects non-alphabetic characters in name fields before they reach the query layer.
- Disable or remove the insert.php endpoint if the CRUD functionality is not required in production.
# Example hardening: replace concatenation with a prepared statement in insert.php
# $stmt = $conn->prepare("INSERT INTO users (firstname, lastname) VALUES (?, ?)");
# $stmt->bind_param("ss", $_POST['firstname'], $_POST['lastname']);
# $stmt->execute();
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
