Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’)
| Property | |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-89: Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) |
| OWASP | A01:2017 - Injection |
| Confidence Level | Low |
| Impact Level | High |
| Likelihood Level | Low |
Description#
Using QuerySet.extra() in Django can allow raw SQL fragments into queries without proper protection, making your code vulnerable to SQL injection. Instead, use Django’s ORM methods and parameterized queries to safely handle user input.
Impact#
If exploited, attackers could manipulate SQL queries to access, modify, or delete sensitive database data, potentially leading to data breaches, loss of integrity, or complete compromise of the application’s database. This can expose confidential information and severely damage user trust and organizational reputation.