Details
Alert ID 200000-3
Alert Type Tool
Status alpha
Risk High
CWE 89
WASC
Technologies Targeted All
Tags CWE-89
OWASP_2021_A03
OWASP_2025_A05
TOOL_PTK

Summary

A SQL injection attack consists of insertion or injection of a SQL query via the input data from the client to the application. A successful SQL injection exploit can read sensitive data from the database, modify database data (Insert/Update/Delete), execute administration operations on the database (such as shutdown the DBMS), recover the content of a given file present on the DBMS file system and in some cases issue commands to the operating system. SQL injection attacks are a type of injection attack, in which SQL commands are injected into data-plane input in order to affect the execution of predefined SQL commands.

Generated by OWASP PTK DAST Module

Solution

SQL Injection happens when untrusted input is combined with SQL, letting attackers change a query’s meaning. How to prevent it: • Use parameterized queries (prepared statements) for all user-controlled values. • Prefer safe stored procedures that use parameters (avoid dynamic SQL inside them). • Avoid string concatenation. If you must support legacy code, use correct DB-specific escaping as a temporary measure. • Apply least privilege to DB accounts (no DML/DDL permissions for the app). • Validate input (allow-lists where possible), but don’t rely on validation alone as a SQLi defense.

Other Info

References

Code

src/ptk/background/dast/modules/modules.json