SYM_GO_0036 - SymbioticSec/Symbiotic-Vulnerability-Database GitHub Wiki
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
| Property | Value |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') |
| OWASP | A01:2017 - Injection |
| Confidence Level | Low |
| Impact Level | High |
| Likelihood Level | Low |
Description
Building SQL queries by concatenating variables or using string formatting in go-pg can expose your code to SQL injection if any part of the query comes from user input. Instead, always use parameterized queries to safely handle dynamic values.
Impact
If exploited, an attacker could manipulate the database query to access, modify, or delete data, bypass authentication, or execute unintended commands. This can lead to data breaches, data loss, or full compromise of your application's database.