SYM_PY_0068 - SymbioticSec/Symbiotic-Vulnerability-Database GitHub Wiki
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
| Property | Value |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') |
| OWASP | A01:2017 - Injection |
| Confidence Level | Low |
| Impact Level | High |
| Likelihood Level | Low |
Description
Building SQL queries in Python using string concatenation or formatting with variables in pg8000 can allow attackers to inject malicious SQL if any variable is user-controlled. Instead, always use parameterized queries or prepared statements to safely include user input in SQL statements.
Impact
If exploited, attackers could execute arbitrary SQL commands against your database, potentially reading or modifying sensitive data, bypassing authentication, or destroying data. This can lead to data breaches, loss of data integrity, and serious security incidents impacting both users and the organization.