CodeAnt AI home pagelight logodark logo
  • Support
  • Dashboard
  • Dashboard
Documentation
API Reference
Start Here
  • What is CodeAnt?
  • Join Community
Setup
  • Github
  • Bitbucket
  • Gitlab
  • Azure Devops
Pull Request Review
  • Features
  • Customize Review
  • Quality Gates
  • Integrations
Scan center
  • Code Security
  • Code Quality
  • Cloud Security
  • Engineering Productivity
Integrations
  • Jira
  • Test Coverage
  • CI/CD
IDE
  • Setup
  • Review
  • Enhancements
Rule Reference
  • Compliance
  • Anti-Patterns
  • Code Governance
  • Infrastructure Security Database
  • Application Security Database
    • Apex
    • Bash
    • C
    • Clojure
    • Cpp
    • Csharp
    • Dockerfile
    • Elixir
    • Fingerprints
    • Generic
    • Go
    • Html
    • Java
    • Javascript
    • Json
    • Kotlin
    • Ocaml
    • Php
    • Problem-based-packs
    • Python
      • Airflow
      • Attr
      • Aws-lambda
      • Bokeh
      • Boto3
      • Cassandra
      • Click
      • Correctness
      • Couchbase
      • Cryptography
      • Distributed
      • Django
        • Ai
        • Best practice
        • Compatibility
        • Correctness
        • Deserialization
        • Maintainability
        • Performance
        • Security
        • Security
          • Audit
          • Audit
          • Injection
          • Injection
            • Code
            • Command
            • Email
            • Path traversal
            • Sql
            • Ssrf
          • Passwords
      • Docker
      • Elasticsearch
      • Fastapi
      • Flask
      • Jinja2
      • Jwt
      • Lang
      • Ldap3
      • Mariadb
      • Mysql
      • Mysqlclient
      • Neo4j
      • Openai
      • Peewee
      • Pg8000
      • Psycopg2
      • Pycryptodome
      • Pyjwt
      • Pymongo
      • Pymssql
      • Pymysql
      • Pyramid
      • Redis
      • Requests
      • Sh
      • Sqlalchemy
      • Tormysql
      • Urllib3
      • Webrepl
      • Wtforms
    • Ruby
    • Rust
    • Scala
    • Solidity
    • Swift
    • Terraform
    • Typescript
    • Yaml
Resources
  • Open Source
  • Blogs
Injection

Sql

sql-injection-using-raw

Data that is possible user-controlled from a python request is passed to raw(). This could lead to SQL injection and attackers gaining access to protected information. Instead, use django’s QuerySets, which are built with query parameterization and therefore not vulnerable to sql injection. For example, you could use Entry.objects.filter(date=2006).
Likelihood: MEDIUM
Confidence: MEDIUM
CWE:
- CWE-89: Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’)
OWASP:
- A01:2017 - Injection
- A03:2021 - Injection

sql-injection-using-rawsql

User-controlled data from request is passed to ‘RawSQL()’. This could lead to a SQL injection and therefore protected information could be leaked. Instead, use parameterized queries or escape the user-controlled data by using params and not using quote placeholders in the SQL string.
Likelihood: MEDIUM
Confidence: MEDIUM
CWE:
- CWE-89: Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’)
OWASP:
- A01:2017 - Injection
- A03:2021 - Injection

sql-injection-using-extra-where

User-controlled data from a request is passed to ‘extra()’. This could lead to a SQL injection and therefore protected information could be leaked. Instead, use parameterized queries or escape the user-controlled data by using params and not using quote placeholders in the SQL string.
Likelihood: MEDIUM
Confidence: MEDIUM
CWE:
- CWE-89: Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’)
OWASP:
- A01:2017 - Injection
- A03:2021 - Injection

sql-injection-db-cursor-execute

User-controlled data from a request is passed to ‘execute()’. This could lead to a SQL injection and therefore protected information could be leaked. Instead, use django’s QuerySets, which are built with query parameterization and therefore not vulnerable to sql injection. For example, you could use Entry.objects.filter(date=2006).
Likelihood: MEDIUM
Confidence: MEDIUM
CWE:
- CWE-89: Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’)
OWASP:
- A01:2017 - Injection
- A03:2021 - Injection
Path traversalSsrf
twitterlinkedin
Powered by Mintlify
Assistant
Responses are generated using AI and may contain mistakes.