The application is vulnerable to SQL injection attacks. User-supplied input is incorporated into SQL queries without proper sanitization or parameterization, allowing attackers to manipulate database queries.
An attacker could bypass authentication, extract sensitive data from the database, modify or delete data, and potentially gain complete control over the database server.
Use parameterized queries or prepared statements for all database operations. Implement input validation using allowlists. Apply the principle of least privilege to database accounts. Consider using an ORM that handles parameterization automatically.