SYM_PY_0070 - SymbioticSec/Symbiotic-Vulnerability-Database GitHub Wiki
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
| Property | Value |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') |
| OWASP | A01:2017 - Injection |
| Confidence Level | Low |
| Impact Level | High |
| Likelihood Level | Low |
Description
Building SQL queries in psycopg2 by concatenating variables directly into the query string can allow user input to change the structure of the SQL command. This exposes your code to SQL injection attacks when user data is not properly handled.
Impact
If exploited, attackers could manipulate database queries to read, modify, or delete data, bypass authentication, or gain unauthorized access to sensitive information. This could result in data breaches, data loss, or full compromise of the application's database.