Multiple remote SQL injection vulnerabilities have been discovered in the Fishing Reservation System application. The vulnerability allows remote attackers to inject or execute their own SQL commands to compromise the DBMS or file system of the application. The vulnerabilities are located in the pid, type, and uid parameters of the admin.php control panel file. Guest accounts or low privileged user accounts can inject and execute their own malicious SQL commands to compromise the local database and affected management system. The vulnerability is a classic order by remote SQL injection vulnerability. Exploitation of the vulnerability requires no user interaction and a low privileged web-application user/guest account. Successful exploitation results in database management system, web-server, and web-application compromise.