Property
Language	csharp
Severity
CWE	CWE-89: Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’)
OWASP	A01:2017 - Injection
Confidence Level	Medium
Impact Level	High
Likelihood Level	Low

Description

User input is being directly included in SQL queries without using parameterized queries or proper sanitization. This allows attackers to manipulate the SQL statement by injecting malicious code.

Impact

If exploited, an attacker could gain unauthorized access to, modify, or delete data in the database. This may lead to data breaches, loss of data integrity, or even complete compromise of the application’s backend database.

Property
Language
Severity
CWE	CWE-89: Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’)
OWASP	A01:2017 - Injection
Confidence Level	Low
Impact Level	High
Likelihood Level	Low

Description

The code builds SQL queries by concatenating strings with variables, which can allow untrusted input to alter the structure of the SQL command. This makes the application vulnerable to SQL injection attacks. Use parameterized queries or prepared statements to safely handle user input.

Property
Language
Severity
CWE	CWE-89: Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’)
OWASP	A01:2017 - Injection
Confidence Level	Low
Impact Level	High
Likelihood Level	Low

Description

Building SQL queries by concatenating variables or using string formatting in go-pg can expose your code to SQL injection if any part of the query comes from user input. Instead, always use parameterized queries to safely handle dynamic values.

Property
Language
Severity
CWE	CWE-89: Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’)
OWASP	A01:2017 - Injection
Confidence Level	Low
Impact Level	High
Likelihood Level	Low

Description

Building SQL queries in Go pgx by concatenating variables (especially user input) directly into the query string can allow attackers to inject malicious SQL code. Instead, parameterized queries should be used to safely pass variables to the database.

Property
Language
Severity
CWE	CWE-89: Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’)
OWASP	A01:2017 - Injection
Confidence Level	Low
Impact Level	High
Likelihood Level	Low

Description

The code builds SQL queries for the go-pg ORM by directly concatenating variables into the query string. If any of these variables come from user input and aren’t properly sanitized, this leaves the code vulnerable to SQL injection.

Property
Language
Severity
CWE	CWE-89: Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’)
OWASP	A01:2017 - Injection
Confidence Level	Low
Impact Level	High
Likelihood Level	Low

Description

The code builds SQL queries by directly combining strings or using string formatting functions, which makes it possible for untrusted input to alter the intended SQL command. This approach does not properly separate user input from the SQL logic, opening the door to unsafe queries.

Property
Language
Severity
CWE	CWE-89: Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’)
OWASP	A01:2017 - Injection
Confidence Level	High
Impact Level	Medium
Likelihood Level	High

Description

User input is being directly inserted into SQL query strings without proper handling. This makes it possible for attackers to manipulate the query and access or modify database data. Always use prepared statements or an ORM to safely include user data in SQL queries.

Property
Language
Severity
CWE	CWE-89: Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’)
OWASP	A01:2017 - Injection
Confidence Level	Medium
Impact Level	Medium
Likelihood Level	High

Description

The code builds SQL queries by directly concatenating or inserting user input into the query string. This practice makes it easy for attackers to inject malicious SQL code and manipulate the database.

Impact

If exploited, an attacker could read, modify, or delete sensitive data in your database, potentially leading to data breaches, data loss, or unauthorized access to user accounts. This can severely compromise both the security and integrity of your application and its users.

Property
Language
Severity
CWE	CWE-89: Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’)
OWASP	A01:2017 - Injection
Confidence Level	Medium
Impact Level	Medium
Likelihood Level	High

Description

Your code is building SQL queries using values taken directly from the AWS Lambda $EVENT object without proper sanitization. This approach allows user-controlled input to be included in SQL statements, making the application vulnerable to SQL injection.

Property
Language
Severity
CWE	CWE-89: Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’)
OWASP	A01:2017 - Injection
Confidence Level	High
Impact Level	Medium
Likelihood Level	High

Description

User input is being passed directly to dangerous GORM methods like Order, Exec, or Raw without proper validation or escaping. This allows attackers to manipulate SQL queries, leading to SQL injection vulnerabilities.

Impact

If exploited, an attacker could run arbitrary SQL commands against your database—stealing, modifying, or deleting data, bypassing authentication, or even gaining full control of the application’s backend. This puts both user data and system integrity at severe risk.