Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’)
| Property | |
|---|---|
| Language | java |
| Severity |  |
| CWE | CWE-89: Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) |
| OWASP | A01:2017 - Injection |
| Confidence Level | Low |
| Impact Level | High |
| Likelihood Level | Low |
Description#
Building SQL queries by directly concatenating or formatting user input into the query string makes your code vulnerable to SQL injection. This practice allows attackers to inject malicious SQL code if inputs are not properly sanitized.
Impact#
If exploited, attackers could manipulate database queries to access, modify, or delete sensitive data, bypass authentication, or execute unauthorized commands. This can lead to data breaches, data loss, or complete compromise of the application and its underlying database.