Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’)
| Property | |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-89: Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) |
| OWASP | A01:2017 - Injection |
| Confidence Level | Low |
| Impact Level | Medium |
| Likelihood Level | High |
Description#
Building SQL queries by concatenating variables directly into query strings in mssql can allow user-supplied data to alter the intended SQL logic. This practice creates a risk of SQL injection if the variables aren’t properly sanitized.
Impact#
Attackers could exploit this flaw to execute arbitrary SQL commands, potentially exposing, modifying, or deleting sensitive data in your database. This can lead to data breaches, loss of data integrity, and compromise of the entire application.