Index · TL;DR
1 min readTL;DR
Injection happens whenever untrusted input is allowed to cross the boundary between data and code, so that data the attacker controls ends up being interpreted as part of a command, query, markup, or template. SQL injection, cross-site scripting (XSS), OS command injection, LDAP/NoSQL injection, and server-side template injection (SSTI) are all the same bug wearing different costumes: a string built by concatenating trusted instructions with untrusted values, then handed to an interpreter that cannot tell which parts the developer wrote and which parts the attacker supplied. The fix is always the same principle — keep code and data on separate channels. Use parameterized queries / prepared statements so the SQL engine receives the query structure and the values independently; encode output for the exact context (HTML body, attribute, JavaScript, URL) so a browser never reinterprets your data as markup or script; avoid passing user input to a shell at all, and when you must, use argument arrays instead of a shell string. Layer on allow-list validation, least-privilege database accounts, and a Content Security Policy so that even a missed encoding step is contained rather than catastrophic.