Documents  Decision Records  Risks SECR-001: SQL Injection in Search

SECR-001: SQL Injection in Search

1 Status

Date Status
01-07-2026 Identified
03-07-2026 Analysed
05-07-2026 Mitigating

2 Threat

An unauthenticated attacker reads or alters the entire database through crafted search input.

3 Vulnerability

The search endpoint concatenates the user-supplied term into the SQL statement instead of binding it as a parameter.

4 CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

5 CVSS Score

9.8

6 Mitigation

Replace the string concatenation with parameterised queries across the data layer and add a negative test suite of injection payloads to the build.

7 Affected Documents

# Proposed Text Req-ID
1 The software shall pass every user-supplied value to the database exclusively as a bound parameter of a prepared statement. REQ-010
2 The software shall not compose any SQL statement text by concatenating or interpolating user-supplied input. REQ-011
3 When user input contains SQL metacharacters or injection payloads, the software shall treat the input as literal data and shall return only the results matching that literal value, without raising a database error. REQ-012

8 Monitoring

The injection payload suite runs in every build; the database audit log is reviewed weekly until the risk closes.