SYM_PHP_0049 - SymbioticSec/Symbiotic-Vulnerability-Database GitHub Wiki
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
| Property | Value |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') |
| OWASP | A01:2017 - Injection |
| Confidence Level | Low |
| Impact Level | High |
| Likelihood Level | Low |
Description
The code builds SQL queries by directly concatenating variables into the query string when using Doctrine DBAL methods. This practice is unsafe if any variable data comes from user input, as it can allow malicious input to alter the query.
Impact
If exploited, an attacker could inject arbitrary SQL commands, potentially exposing, modifying, or deleting data in your database. This could lead to data breaches, loss of data integrity, or full compromise of the application's backend.