Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’)
| Property | |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-89: Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) |
| OWASP | A01:2017 - Injection |
| Confidence Level | Low |
| Impact Level | High |
| Likelihood Level | Low |
Description#
The code builds SQL queries by concatenating strings with variables, which can allow untrusted input to alter the structure of the SQL command. This makes the application vulnerable to SQL injection attacks. Use parameterized queries or prepared statements to safely handle user input.
Impact#
If exploited, an attacker could manipulate database queries to access, modify, or delete sensitive data, bypass authentication, or execute unauthorized commands. This could lead to data breaches, data loss, or full compromise of the application’s database.