Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’)
| Property | |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-89: Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) |
| OWASP | A01:2017 - Injection |
| Confidence Level | Low |
| Impact Level | High |
| Likelihood Level | Low |
Description#
The code builds SQL queries for the go-pg ORM by directly concatenating variables into the query string. If any of these variables come from user input and aren’t properly sanitized, this leaves the code vulnerable to SQL injection.
Impact#
An attacker could manipulate the application to execute malicious SQL commands, potentially exposing, modifying, or deleting sensitive data. This can lead to data breaches, loss of data integrity, or full compromise of the database and associated systems.