Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’)
| Property | |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-89: Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) |
| OWASP | A01:2017 - Injection |
| Confidence Level | Low |
| Impact Level | High |
| Likelihood Level | Low |
Description#
Building SQL queries in Go pgx by concatenating variables (especially user input) directly into the query string can allow attackers to inject malicious SQL code. Instead, parameterized queries should be used to safely pass variables to the database.
Impact#
If exploited, attackers could manipulate your database queries to access, modify, or delete sensitive data, bypass authentication, or execute unauthorized operations. This can lead to data breaches, data loss, or full compromise of the application’s backend systems.