Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’)
| Property | |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-89: Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) |
| OWASP | A01:2017 - Injection |
| Confidence Level | Low |
| Impact Level | High |
| Likelihood Level | Low |
Description#
Using raw or non-parameterized SQL queries (such as RawSQL or .raw()) in Django can expose your application to SQL injection attacks. This happens when user input is included directly in SQL statements without proper handling, allowing attackers to manipulate queries.
Impact#
If exploited, attackers could access, modify, or delete sensitive data in your database by injecting malicious SQL commands. This could lead to data breaches, loss of data integrity, unauthorized access to user information, and severe reputational or regulatory consequences for your organization.