Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’)
| Property | |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-89: Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) |
| OWASP | A01:2017 - Injection |
| Confidence Level | Low |
| Impact Level | High |
| Likelihood Level | Low |
Description#
The code builds SQL queries for aiopg using string concatenation or formatting with variables, which can allow untrusted input to alter the query. This makes the application vulnerable to SQL injection when user input is included directly in the SQL string.
Impact#
If exploited, an attacker could manipulate database queries to read, modify, or delete sensitive data, bypass authentication, or execute unauthorized commands. This can lead to data breaches, data loss, or full compromise of the application’s database.