Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’)
| Property | |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-89: Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) |
| OWASP | A01:2017 - Injection |
| Confidence Level | Low |
| Impact Level | High |
| Likelihood Level | Low |
Description#
Building SQL queries by directly concatenating or formatting untrusted input into SQL strings can allow attackers to inject malicious SQL code. This insecure practice makes your code vulnerable to SQL injection attacks.
Impact#
If exploited, an attacker could manipulate database queries to access, modify, or delete data, bypass authentication, or execute administrative operations. This can lead to data breaches, data loss, or full compromise of the application’s database.