Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’)
| Property | |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-89: Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) |
| OWASP | A01:2017 - Injection |
| Confidence Level | Low |
| Impact Level | High |
| Likelihood Level | Low |
Description#
The code builds SQL queries by directly combining strings or using string formatting functions, which makes it possible for untrusted input to alter the intended SQL command. This approach does not properly separate user input from the SQL logic, opening the door to unsafe queries.
Impact#
If exploited, an attacker could manipulate database queries to access, modify, or delete data without authorization, potentially exposing sensitive information or compromising the entire database. This can lead to data breaches, loss of data integrity, and severe damage to the application’s reputation and reliability.