Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’)
| Property | |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-89: Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) |
| OWASP | A01:2017 - Injection |
| Confidence Level | Medium |
| Impact Level | Medium |
| Likelihood Level | High |
Description#
User input is being directly inserted into SQL queries by string concatenation instead of using parameterized queries. This exposes the code to SQL injection attacks because attackers can manipulate input to alter the intended SQL command.
Impact#
If exploited, an attacker could read, modify, or delete database records, including sensitive data. This could lead to data breaches, unauthorized access, data loss, or even full compromise of the application’s database.