Improper Neutralization of Special Elements in Output ('Injection')
Injection occurs when an application takes user-supplied input and uses it to construct a command, query, or code string without properly neutralizing special…
Injection occurs when an application takes user-supplied input and uses it to construct a command, query, or code string without properly neutralizing special characters or syntax elements. An attacker can inject malicious syntax that changes the intended meaning of the string, leading to unintended execution or data access. This is one of the most common and dangerous vulnerability classes in web applications.
02How It Happens
When user input is concatenated directly into a string that will be interpreted by another system—a database engine, shell interpreter, template engine, or XML parser—special characters in that input can break out of the intended context. For example, a single quote in a name field might prematurely close a SQL string literal, allowing an attacker to append arbitrary SQL commands. The root cause is the assumption that user input is "safe" or that it will only ever contain expected characters. No validation or encoding is applied before the string is passed to the downstream interpreter.
03Real-World Impact
Injection vulnerabilities can lead to complete compromise of an application. In database injection scenarios, attackers can read, modify, or delete sensitive data. In command injection, they may execute arbitrary system commands with the privileges of the web server process. In template or expression language injection, attackers can access application state, call functions, or read files. Even seemingly minor injection flaws can escalate to authentication bypass, privilege escalation, or remote code execution depending on the context and what the downstream system can do.
04Vulnerable & Fixed Patterns
Vulnerable pattern
import sqlite3
def search_user(user_input):
conn = sqlite3.connect(':memory:')
cursor = conn.cursor()
# Directly concatenating user input into SQL query
query = "SELECT * FROM users WHERE name = '" + user_input + "'"
cursor.execute(query)
return cursor.fetchall()
result = search_user("admin' OR '1'='1")
Why it's vulnerable: The user_input is concatenated directly into the SQL query string. An attacker can inject SQL syntax (like ' OR '1'='1) to alter the query logic and bypass authentication or extract unauthorized data.
Fixed pattern
import sqlite3
def search_user(user_input):
conn = sqlite3.connect(':memory:')
cursor = conn.cursor()
# Use parameterized query with placeholder
query = "SELECT * FROM users WHERE name = ?"
cursor.execute(query, (user_input,))
return cursor.fetchall()
result = search_user("admin' OR '1'='1")
Vulnerable pattern
<?php
$username = $_GET['user'];
// Directly concatenating user input into SQL query
$query = "SELECT * FROM users WHERE username = '" . $username . "'";
$result = mysqli_query($conn, $query);
?>
Why it's vulnerable: The $_GET parameter is concatenated directly into the SQL query without escaping or parameterization. An attacker can inject SQL commands by crafting a malicious URL parameter.
Fixed pattern
<?php
$username = $_GET['user'];
// Use prepared statement with bound parameters
$stmt = $conn->prepare("SELECT * FROM users WHERE username = ?");
$stmt->bind_param("s", $username);
$stmt->execute();
$result = $stmt->get_result();
?>
05Prevention Checklist
Use parameterized queries or prepared statements for all database interactions; never concatenate user input into SQL strings.
Validate and allowlist input where possible—reject anything that doesn't match an expected format (e.g., usernames should be alphanumeric).
Encode output appropriately for the context (HTML entities for web display, shell escaping for system commands, JSON encoding for APIs).
Apply the principle of least privilege to database and system accounts; limit what an injected command can do even if it succeeds.
Use security libraries and frameworks that provide built-in protections (ORMs, template engines with auto-escaping, command builders).
Perform code review specifically looking for string concatenation with external input; flag and refactor any instances found.
06Signs You May Already Be Affected
Look for unexpected database queries in logs, unusual characters or SQL syntax in access logs (e.g., %27 or OR%201%3D1 in URLs), or error messages revealing database structure. Check for unexpected admin accounts or permission changes, or files created in unexpected locations. If your application suddenly returns data it shouldn't or behaves differently than designed, injection may be the cause.