Skip to content

Added sql injection on separate file #5

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 2 commits into
base: main
Choose a base branch
from
Open

Added sql injection on separate file #5

wants to merge 2 commits into from

Conversation

@guyerez
Copy link
Owner

@guyerez guyerez commented Jul 22, 2025

No description provided.

@guyerez
Copy link
Owner Author

guyerez commented Jul 22, 2025
edited
Loading

Wiz Scan Summary

Scanner Findings
Vulnerability Finding Vulnerabilities -
Data Finding Sensitive Data -
Secret Finding Secrets -
IaC Misconfiguration IaC Misconfigurations -
SAST Finding SAST Findings 1 High 2 Medium
Total 1 High 2 Medium

View scan details in Wiz

To detect these findings earlier in the dev lifecycle, try using Wiz Code VS Code Extension.

@guyerez guyerez closed this Jul 22, 2025
@guyerez guyerez reopened this Jul 22, 2025
guyerez
guyerez commented Jul 22, 2025
View reviewed changes
@guyerez guyerez closed this Aug 12, 2025
@guyerez guyerez reopened this Aug 12, 2025
guyerez
guyerez commented Aug 12, 2025
View reviewed changes
vulnerable_db.py

user_id = request.query_params.get("user_id")
# SQL injection vulnerability - directly concatenating user input
query = f"SELECT * FROM users WHERE id = '{user_id}'"
Copy link
Owner Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Medium SAST Finding

Unparameterized SQL Query with User Input (CWE-915)

More Details

This rule detects instances where user input is used to manually construct a SQL query string. Manually constructing SQL queries with user input is a dangerous practice that can lead to SQL injection vulnerabilities. SQL injection is a technique where malicious SQL statements are inserted into application entries to gain unauthorized access to the database.

SQL injection attacks can allow an attacker to view, modify, or delete data from the database, escalate privileges, execute remote commands, and potentially compromise the entire application. Even if the input is sanitized, it is still risky to concatenate user input into SQL queries as it can lead to logic errors and vulnerabilities.

To avoid SQL injection, it is recommended to use parameterized queries or an object-relational mapping (ORM) library instead of manually constructing SQL queries with user input. Parameterized queries separate the query logic from the user input, preventing the input from being interpreted as part of the SQL statement.

Attribute Value
Impact Low
Likelihood Medium

Rule ID: WS-I013-PYTHON-00078

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@guyerez