Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’)
| Property | |
|---|---|
| Language | java |
| Severity |  |
| CWE | CWE-89: Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) |
| OWASP | A01:2017 - Injection |
| Confidence Level | Medium |
| Impact Level | High |
| Likelihood Level | Medium |
Description#
User input is being directly used to build SQL queries by concatenating strings, which can allow attackers to inject malicious SQL commands. This practice is unsafe and should be replaced with parameterized queries to prevent SQL injection.
Impact#
If exploited, an attacker could manipulate database queries to access, modify, or delete sensitive data, bypass authentication, or corrupt the entire database. This could lead to data breaches, data loss, and significant harm to the application’s security and reputation.