Injection
Sql
sql-injection-using-raw
sql-injection-using-raw
Data that is possible user-controlled from a python request is passed to
Likelihood: MEDIUM
Confidence: MEDIUM
CWE:
- CWE-89: Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’)
OWASP:
- A01:2017 - Injection
- A03:2021 - Injection
raw(). This could lead to SQL injection and attackers gaining access to protected information. Instead, use django’s QuerySets, which are built with query parameterization and therefore not vulnerable to sql injection. For example, you could use Entry.objects.filter(date=2006).Likelihood: MEDIUM
Confidence: MEDIUM
CWE:
- CWE-89: Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’)
OWASP:
- A01:2017 - Injection
- A03:2021 - Injection
sql-injection-using-rawsql
sql-injection-using-rawsql
User-controlled data from request is passed to ‘RawSQL()’. This could lead to a SQL injection and therefore protected information could be leaked. Instead, use parameterized queries or escape the user-controlled data by using
Likelihood: MEDIUM
Confidence: MEDIUM
CWE:
- CWE-89: Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’)
OWASP:
- A01:2017 - Injection
- A03:2021 - Injection
params and not using quote placeholders in the SQL string.Likelihood: MEDIUM
Confidence: MEDIUM
CWE:
- CWE-89: Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’)
OWASP:
- A01:2017 - Injection
- A03:2021 - Injection
sql-injection-using-extra-where
sql-injection-using-extra-where
User-controlled data from a request is passed to ‘extra()’. This could lead to a SQL injection and therefore protected information could be leaked. Instead, use parameterized queries or escape the user-controlled data by using
Likelihood: MEDIUM
Confidence: MEDIUM
CWE:
- CWE-89: Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’)
OWASP:
- A01:2017 - Injection
- A03:2021 - Injection
params and not using quote placeholders in the SQL string.Likelihood: MEDIUM
Confidence: MEDIUM
CWE:
- CWE-89: Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’)
OWASP:
- A01:2017 - Injection
- A03:2021 - Injection
sql-injection-db-cursor-execute
sql-injection-db-cursor-execute
User-controlled data from a request is passed to ‘execute()’. This could lead to a SQL injection and therefore protected information could be leaked. Instead, use django’s QuerySets, which are built with query parameterization and therefore not vulnerable to sql injection. For example, you could use
Likelihood: MEDIUM
Confidence: MEDIUM
CWE:
- CWE-89: Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’)
OWASP:
- A01:2017 - Injection
- A03:2021 - Injection
Entry.objects.filter(date=2006).Likelihood: MEDIUM
Confidence: MEDIUM
CWE:
- CWE-89: Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’)
OWASP:
- A01:2017 - Injection
- A03:2021 - Injection