Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’)
| Property | |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-89: Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) |
| Confidence Level | Low |
| Impact Level | Medium |
| Likelihood Level | Medium |
Description#
The code builds SQL queries by directly inserting dynamic values into the query string instead of using parameterized queries. This practice can allow untrusted input to alter the intended SQL command, making the code vulnerable to SQL injection.
Impact#
If exploited, an attacker could bypass authentication, access or modify sensitive local data, or change app behavior by injecting malicious SQL code. This could compromise user data, app integrity, or expose private information stored on the device.