Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’)
| Property | |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-89: Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) |
| OWASP | A01:2017 - Injection |
| Confidence Level | Medium |
| Impact Level | Low |
| Likelihood Level | Low |
Description#
Building SQL queries by concatenating or formatting user input into strings and passing them to sqlalchemy.text() can allow attackers to inject malicious SQL code. This approach bypasses SQLAlchemy’s built-in protections, making your code vulnerable to SQL injection.
Impact#
If exploited, an attacker could execute arbitrary SQL commands against your database, potentially leading to data theft, data manipulation, or deletion. This could compromise sensitive information, disrupt application functionality, or even result in a complete database breach.