Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’)
| Property | |
|---|---|
| Language | java |
| Severity |  |
| CWE | CWE-89: Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) |
| OWASP | A01:2017 - Injection |
| Confidence Level | Low |
| Impact Level | High |
| Likelihood Level | Low |
Description#
Building JDO SQL queries by concatenating or formatting strings with untrusted input can allow attackers to inject malicious SQL code. This happens when user-controlled data is directly included in query statements without proper sanitization or use of prepared statements.
Impact#
Exploitation can let an attacker execute arbitrary SQL commands, leading to data theft, modification, or deletion. This could compromise sensitive information, corrupt the database, or provide attackers with unauthorized access to application data.