Weakness reference
CWE-707

Improper Neutralization

This weakness describes a failure to properly validate and sanitize structured data before passing it to another component or system. When software doesn't…

01Summary

This weakness describes a failure to properly validate and sanitize structured data before passing it to another component or system. When software doesn't ensure that messages, queries, or commands are well-formed and respect component boundaries, attackers can inject malicious content that the downstream component interprets as legitimate instructions. This is the foundational category underlying injection vulnerabilities across all contexts—SQL, command-line, XML, LDAP, and more.

02How It Happens

The vulnerability arises when a developer treats user-supplied input as trusted data without verifying its structure or escaping special characters that have meaning in the target system. When data flows from one component to another (a web form to a database query, user input to a shell command, or a request to an XML parser), the receiving component interprets certain characters or sequences as control instructions rather than literal data. If the sending component doesn't neutralize these special characters or validate the data's structure, an attacker can craft input that breaks out of the intended data context and executes unintended logic in the downstream system.

03Real-World Impact

Improper neutralization can lead to complete system compromise. An attacker might execute arbitrary SQL commands to steal or modify database records, run shell commands with application privileges, bypass authentication logic, or manipulate XML parsing to access restricted files. The severity depends on what the downstream component can do—a database query injection might expose customer data, while a command injection could grant shell access to the server. Even seemingly minor injection points can escalate to full application takeover when chained with other weaknesses.

04Vulnerable & Fixed Patterns

Vulnerable pattern
import sqlite3

user_id = request.args.get('id')
query = "SELECT * FROM users WHERE id = " + user_id
cursor = connection.execute(query)
results = cursor.fetchall()

Why it's vulnerable:
The user-supplied id parameter is concatenated directly into the SQL query string. An attacker can supply 1 OR 1=1 or 1; DROP TABLE users;-- to alter the query's logic or structure.

Fixed pattern
import sqlite3

user_id = request.args.get('id')
query = "SELECT * FROM users WHERE id = ?"
cursor = connection.execute(query, (user_id,))
results = cursor.fetchall()
Vulnerable pattern
$username = $_GET['user'];
$query = "SELECT * FROM accounts WHERE username = '" . $username . "'";
$result = mysqli_query($connection, $query);

Why it's vulnerable:
The $username variable is embedded directly into the query string without escaping or parameterization. An attacker can inject SQL syntax by supplying ' OR '1'='1 or similar payloads.

Fixed pattern
$username = $_GET['user'];
$query = "SELECT * FROM accounts WHERE username = ?";
$stmt = mysqli_prepare($connection, $query);
mysqli_stmt_bind_param($stmt, "s", $username);
mysqli_stmt_execute($stmt);
$result = mysqli_stmt_get_result($stmt);

05Prevention Checklist

Use parameterized queries or prepared statements
for all database interactions; never concatenate user input into query strings.
Validate input against a strict allowlist
of expected formats (e.g., numeric IDs should match ^\d+$); reject anything that doesn't conform.
Escape or encode output
appropriate to the target context (HTML entities for web display, shell escaping for command execution, XML encoding for XML documents).
Maintain clear component boundaries
by defining what data each component accepts and rejecting malformed input at entry points.
Use framework-provided sanitization functions
(e.g., wp_kses() in WordPress, parameterized query builders in ORMs) rather than rolling your own.
Apply the principle of least privilege
so that even if injection succeeds, the compromised component has minimal permissions.

06Signs You May Already Be Affected

Look for unexpected query results, unusual database activity, or error messages containing fragments of your code or system paths in application logs. Check for unfamiliar files in web-accessible directories, unexpected user accounts in your database or system, or log entries showing malformed requests that were processed successfully. Monitor for slow queries or high CPU usage that might indicate injected loops or resource-intensive commands.

07Related Recent Vulnerabilities