Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’)
| Property | |
|---|---|
| Language | java |
| Severity |  |
| CWE | CWE-89: Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) |
| OWASP | A01:2017 - Injection |
| Confidence Level | Low |
| Impact Level | High |
| Likelihood Level | Low |
Description#
Building SQL queries by combining strings or using formatted strings with user input can allow attackers to inject malicious SQL code. Instead of concatenation, use PreparedStatement to safely pass parameters and prevent SQL injection.
Impact#
If exploited, an attacker could read, modify, or delete database records, escalate their privileges, or compromise the entire application. This can lead to data breaches, loss of sensitive information, and significant damage to the organization’s reputation and operations.