Description

SQL injection (SQLi) refers to an injection attack wherein an attacker can execute malicious SQL statements that control a web application's database server.

Remediation

Use parameterized queries when dealing with SQL queries that contain user input. Parameterized queries allow the database to understand which parts of the SQL query should be considered as user input, therefore solving SQL injection.

References

SQL Injection (SQLi)

Prevent SQL injection vulnerabilities in PHP applications and fix them

SQL Injection - OWASP

Bobby Tables: A guide to preventing SQL injection

SQL Injection Cheet Sheets - Pentestmonkey

Related Vulnerabilities

WordPress Plugin Tutor LMS-eLearning and online course solution SQL Injection (2.6.1)

WordPress Plugin Form Maker by 10Web-Mobile-Friendly Drag & Drop Contact Form Builder SQL Injection (1.15.5)

WordPress Plugin Facebook Opengraph Meta 'all_meta.php' SQL Injection (1.0)

WordPress Plugin Quiz and Survey Master (QSM)-Easy Quiz and Survey Maker Multiple SQL Injection Vulnerabilities (4.4.3)

WordPress Plugin WP Comment Remix SQL Injection and HTML Injection Vulnerabilities (1.4.3)

Severity

Critical

Classification

CWE-89 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

Tags

SQL Injection