Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’)
| Property | |
|---|---|
| Language | java |
| Severity |  |
| CWE | CWE-89: Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) |
| OWASP | A01:2017 - Injection |
| Confidence Level | Medium |
| Impact Level | Medium |
| Likelihood Level | High |
Description#
Building SQL queries by inserting user input directly into formatted strings can allow attackers to inject malicious SQL code. This happens when variables are concatenated or formatted into SQL statements without proper sanitization or use of prepared statements.
Impact#
If exploited, attackers could execute unauthorized SQL commands—such as reading, modifying, or deleting database records—leading to data breaches, data loss, or compromised application integrity. This can result in serious security incidents and potential regulatory violations.