**Description** While I was auditing the backend archietecture, I found a potentila SQL injection vulnerability in the statistics visualization helper methods introduced in the 2019 GSoC block. In **`src/Model/Table/ArtifactsTable.php`**, in functions `getTopGenres()` `getTopLanguages()` and `getTopMaterials()` the `$limit` variable is concatenated directly into raw SQL strings without any validation. Currently the framework is unaffected by this as when I traced the call stack I discovered that the internal helpers/endpoints which invokes this never asks for user values and use hardcoded values. But this could be a potential trap in future, if someone uses this and deccides to pass in a value for limit. **Reproduction** ```bash docker exec cdlidev_mariadb_1 sh -c "mariadb -u root cdli_db -e \"SELECT COUNT(*) AS count, (SELECT genre FROM genres WHERE id = genre_id) AS genre FROM artifacts_genres WHERE 1 GROUP BY genre_id ORDER BY COUNT(*) DESC LIMIT 6; DELETE FROM genres WHERE genre='INJECT_ME';\" > /dev/null 2>&1; mariadb -u root cdli_db --table -e 'SELECT id, genre FROM genres;'" ``` Replace genere='INJECT_ME' with a value present in the genre table. **Expected behavior** The sql Injection can lead to diverse affects from ediitng, adding and deleting a rows depending in the query injected. This could be avoided by using an CakePHP ORM or simpler typecasting it to integer. **Screenshots** Before Injection: {width=857 height=379} After Injection: {width=887 height=332} **Want to take up?** Yes, I want to take this up.