Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’)
| Property | |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-89: Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) |
| OWASP | A01:2017 - Injection |
| Confidence Level | High |
| Impact Level | Medium |
| Likelihood Level | High |
Description#
User input from HTTP requests is being directly inserted into SQL queries using string concatenation or formatting. This exposes the code to SQL injection attacks because attackers can manipulate the input to alter the query’s behavior. Use prepared statements or an ORM to safely handle user data in SQL queries.
Impact#
If exploited, an attacker could read, modify, or delete sensitive data in the database, bypass authentication, or even execute administrative operations. This can lead to data breaches, data loss, and compromise of the entire application or backend systems.