High-Severity SQL Injection Flaw Exposes Student Database in Flask Application Route

A critical SQL injection vulnerability has been identified in the route handler logic of a Flask-based web application, exposing the system to potential unauthorized database manipulation. The flaw, classified under CWE-89, exists within the search functionality where user-supplied input flows directly into raw SQL query construction without sanitization or parameterization. The vulnerability enables attackers to inject malicious SQL code through the 'q' query parameter, risking unauthorized data access, modification, or deletion of student records stored in the database.

The problematic code pattern appears at line 34 of app/routes.py, where an f-string concatenation embeds the 'q' query parameter directly into a SELECT statement: `f"SELECT * FROM student WHERE name LIKE '%{query}%'"`. The query executes via SQLAlchemy's `db.session.execute(text(sql)).fetchall()` without any input validation or parameterized binding. This approach lacks the fundamental safeguard of separating SQL logic from user data, allowing attacker-controlled input to alter query structure and potentially extract or manipulate sensitive records.

The vulnerability carries significant risk given its low barrier to exploitation. Attackers require only standard HTTP requests to inject SQL payloads through the search parameter, with no authentication or specialized tools needed. The impact could range from unauthorized disclosure of student information to data corruption or complete database compromise. Security researchers recommend immediate remediation using parameterized queries, specifically leveraging SQLAlchemy's bind parameters or ORM methods to ensure user input cannot modify query logic. Organizations running this application should prioritize patching and audit any dependent systems for similar injection vectors.