Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’)
| Property | |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-89: Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) |
| OWASP | A01:2017 - Injection |
| Confidence Level | Low |
| Impact Level | High |
| Likelihood Level | Low |
Description#
The code builds SQL queries by directly inserting variables into strings using formatting or f-strings. This approach makes the queries vulnerable to SQL injection if any user input is included.
Impact#
An attacker could manipulate input to run arbitrary SQL commands, potentially exposing, modifying, or deleting sensitive data in your database. This can lead to data breaches, data loss, or unauthorized access to your application’s backend.