Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’)
| Property | |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-89: Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) |
| OWASP | A01:2017 - Injection |
| Confidence Level | Medium |
| Impact Level | High |
| Likelihood Level | Medium |
Description#
User input is being directly used to build SQL queries, which makes the code vulnerable to SQL injection attacks. Instead of manually creating query strings with input, use parameterized queries or an ORM like ActiveRecord.
Impact#
If exploited, an attacker could manipulate queries to read, modify, or delete database records, potentially exposing sensitive data or compromising the entire application. This can lead to data breaches, data loss, or unauthorized access.