SQL Injection


It is possible to execute arbitrary SQL commands on the target application server’s backend database. SQL Injection is a critical vulnerability that can lead to a data or system compromise.


Always use parameterized queries when issuing requests to backend database systems. In situations where dynamic queries must be created, never use direct user input, but instead use a map or dictionary of valid values and resolve them using a user-supplied key.

For example, some database drivers do not allow parameterized queries for > or < comparison operators. In these cases, do not use a user supplied > or < value, but rather have the user supply a gt or lt value. The alphabetical values are then used to look up the > and < values to be used in the construction of the dynamic query. The same goes for other queries where column or table names are required but can not be parameterized.


ID Aggregated CWE Type Risk
89.1 false 89 Active high