OWASP #3 (2021) – Injection

Injection happens when untrusted input is sent to a system interpreter (like SQL, shell, or HTML) without proper validation or escaping. This lets attackers modify commands and potentially take control.

Classic example: SQL Injection. A vulnerable query might look like this:

SELECT * FROM users WHERE name = '$input';

An attacker could input something like:

' OR '1'='1

…to bypass login or worse.

Command injection, XSS, and other forms follow the same pattern: input gets treated as code.

If you’ve never seen Little Bobby Tables, it’s a perfect (and hilarious) example of how dangerous this can be. He’s the reason we sanitize input.

To prevent injection: - Use parameterized queries (prepared statements). - Never build commands by concatenating user input. - Validate and sanitize all inputs. - Escape output based on the context (HTML, JS, SQL, etc.).

Injection is dangerous, common, and totally avoidable. Always treat user input as suspicious - even if it looks harmless.