Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’)
| Property | |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-89: Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) |
| OWASP | A01:2017 - Injection |
| Confidence Level | Medium |
| Impact Level | High |
| Likelihood Level | Medium |
Description#
User input is being directly inserted into SQL query strings, which makes the code vulnerable to SQL injection. This happens when SQL statements are built by concatenating or formatting strings with user-provided data, rather than using prepared statements.
Impact#
An attacker could manipulate the SQL queries to access, modify, or delete data in your database, potentially exposing sensitive information or damaging the integrity of your application’s data. This can lead to data breaches, loss of data, or unauthorized actions being performed in your system.