SYM_GO_0037 - SymbioticSec/Symbiotic-Vulnerability-Database GitHub Wiki
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
| Property | Value |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') |
| OWASP | A01:2017 - Injection |
| Confidence Level | Low |
| Impact Level | High |
| Likelihood Level | Low |
Description
Building SQL queries in Go pgx by concatenating variables (especially user input) directly into the query string can allow attackers to inject malicious SQL code. Instead, parameterized queries should be used to safely pass variables to the database.
Impact
If exploited, attackers could manipulate your database queries to access, modify, or delete sensitive data, bypass authentication, or execute unauthorized operations. This can lead to data breaches, data loss, or full compromise of the application’s backend systems.