Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’)
| Property | |
|---|---|
| Language | java |
| Severity |  |
| CWE | CWE-89: Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) |
| OWASP | A01:2017 - Injection |
| Confidence Level | Medium |
| Impact Level | Medium |
| Likelihood Level | High |
Description#
User input is being directly combined into SQL query strings without proper handling. This makes the code vulnerable to SQL injection, where attackers can manipulate database queries by sending specially crafted input. Always use prepared statements or an ORM to safely insert user data into SQL queries.
Impact#
If exploited, attackers could access, modify, or delete sensitive data in the database, bypass authentication, or execute unauthorized operations. This can lead to data breaches, loss of data integrity, or full compromise of the application’s data layer.