Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’)
| Property | |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-89: Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) |
| OWASP | A01:2017 - Injection |
| Confidence Level | Medium |
| Impact Level | Medium |
| Likelihood Level | High |
Description#
The code builds SQL queries by directly inserting user input into SQL strings, which makes it easy for attackers to inject malicious SQL commands. This practice is unsafe because it doesn’t properly separate user data from SQL code.
Impact#
If exploited, an attacker could manipulate database queries to access, modify, or delete sensitive data, potentially leading to data breaches or loss. This can compromise application integrity, expose user information, and cause significant organizational harm.