Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’)
| Property | |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-89: Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) |
| OWASP | A01:2017 - Injection |
| Confidence Level | Low |
| Impact Level | High |
| Likelihood Level | Low |
Description#
Using custom expressions with the ‘as_sql’ method can be dangerous if any user input is included without proper sanitization. This can allow attackers to inject malicious SQL code into your database queries.
Impact#
If exploited, attackers could read, modify, or delete sensitive data in the database, bypass authentication, or gain unauthorized access. This could lead to data breaches, loss of data integrity, and compromise of the entire application.