Weakness reference
CWE-74

Improper Neutralization of Special Elements in Output ('Injection')

Injection occurs when an application takes user-supplied input and uses it to construct a command, query, or code string without properly neutralizing special…

01Summary

Injection occurs when an application takes user-supplied input and uses it to construct a command, query, or code string without properly neutralizing special characters or syntax elements. An attacker can inject malicious syntax that changes the intended meaning of the string, leading to unintended execution or data access. This is one of the most common and dangerous vulnerability classes in web applications.

02How It Happens

When user input is concatenated directly into a string that will be interpreted by another system—a database engine, shell interpreter, template engine, or XML parser—special characters in that input can break out of the intended context. For example, a single quote in a name field might prematurely close a SQL string literal, allowing an attacker to append arbitrary SQL commands. The root cause is the assumption that user input is "safe" or that it will only ever contain expected characters. No validation or encoding is applied before the string is passed to the downstream interpreter.

03Real-World Impact

Injection vulnerabilities can lead to complete compromise of an application. In database injection scenarios, attackers can read, modify, or delete sensitive data. In command injection, they may execute arbitrary system commands with the privileges of the web server process. In template or expression language injection, attackers can access application state, call functions, or read files. Even seemingly minor injection flaws can escalate to authentication bypass, privilege escalation, or remote code execution depending on the context and what the downstream system can do.

04Vulnerable & Fixed Patterns

Vulnerable pattern
import sqlite3

def search_user(user_input):
    conn = sqlite3.connect(':memory:')
    cursor = conn.cursor()
    # Directly concatenating user input into SQL query
    query = "SELECT * FROM users WHERE name = '" + user_input + "'"
    cursor.execute(query)
    return cursor.fetchall()

result = search_user("admin' OR '1'='1")

Why it's vulnerable:
The user_input is concatenated directly into the SQL query string. An attacker can inject SQL syntax (like ' OR '1'='1) to alter the query logic and bypass authentication or extract unauthorized data.

Fixed pattern
import sqlite3

def search_user(user_input):
    conn = sqlite3.connect(':memory:')
    cursor = conn.cursor()
    # Use parameterized query with placeholder
    query = "SELECT * FROM users WHERE name = ?"
    cursor.execute(query, (user_input,))
    return cursor.fetchall()

result = search_user("admin' OR '1'='1")
Vulnerable pattern
<?php
$username = $_GET['user'];
// Directly concatenating user input into SQL query
$query = "SELECT * FROM users WHERE username = '" . $username . "'";
$result = mysqli_query($conn, $query);
?>

Why it's vulnerable:
The $_GET parameter is concatenated directly into the SQL query without escaping or parameterization. An attacker can inject SQL commands by crafting a malicious URL parameter.

Fixed pattern
<?php
$username = $_GET['user'];
// Use prepared statement with bound parameters
$stmt = $conn->prepare("SELECT * FROM users WHERE username = ?");
$stmt->bind_param("s", $username);
$stmt->execute();
$result = $stmt->get_result();
?>

05Prevention Checklist

Use parameterized queries or prepared statements
for all database interactions; never concatenate user input into SQL strings.
Validate and allowlist input
where possible—reject anything that doesn't match an expected format (e.g., usernames should be alphanumeric).
Encode output appropriately
for the context (HTML entities for web display, shell escaping for system commands, JSON encoding for APIs).
Apply the principle of least privilege
to database and system accounts; limit what an injected command can do even if it succeeds.
Use security libraries and frameworks
that provide built-in protections (ORMs, template engines with auto-escaping, command builders).
Perform code review
specifically looking for string concatenation with external input; flag and refactor any instances found.

06Signs You May Already Be Affected

Look for unexpected database queries in logs, unusual characters or SQL syntax in access logs (e.g., %27 or OR%201%3D1 in URLs), or error messages revealing database structure. Check for unexpected admin accounts or permission changes, or files created in unexpected locations. If your application suddenly returns data it shouldn't or behaves differently than designed, injection may be the cause.

07Related Recent Vulnerabilities