CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')


SQL injection is a type of security exploit in which the attacker adds Structured Query Language (SQL) code to a Web form input box to gain access to resources or make changes to data. An SQL query is a request for some action to be performed on a database. Typically, on a Web form for user authentication, when a user enters their name and password into the text boxes provided for them, those values are inserted into a SELECT query. If the values entered are found as expected, the user is allowed access; if they are not found, access is denied.

However, most Web forms have no mechanisms in place to block input other than names and passwords. Unless such precautions are taken, an attacker can use the input boxes to send their own request to the database, which could allow them to download the entire database or interact with it in other illicit ways.

To such an extent, SQL injection can provide an attacker with unauthorized access to sensitive data, including customer data, personally identifiable information, trade secrets, intellectual property and other sensitive information.Ability to read, modify and steal confidetial data helps the attackers to get access to the system and control it with no obstacles.

The weakness is inctroduced during Architecture and Design, Implementation, Operation stages.

Latest vulnerabilities for CWE-89


Description of CWE-89 on Mitre website