Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’)
| Property | |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-89: Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) |
| OWASP | A01:2017 - Injection |
| Confidence Level | Medium |
| Impact Level | High |
| Likelihood Level | Medium |
Description#
User input is being directly inserted into SQL queries by building query strings manually. This practice makes the code vulnerable to SQL injection attacks because untrusted data can alter the structure of the SQL command.
Impact#
If exploited, an attacker could steal, modify, or delete data in your database, gain unauthorized access to sensitive information, or potentially compromise the entire application. This can lead to data breaches, data loss, and regulatory or reputational damage.