a shot of dev knowledge


What are injection flaws?

Injection flaws are a security vulnerability that allows a user to gain access to the backend database, shell command, or operating system call if the web app takes user input. Hackers append additional information within these input boxes and can create, read, update, or delete data. They may be able to append complete scripts into applications and can, therefore, execute such commands.

There are many types of injection flaws:

  • SQL Injection
  • XML Injection
  • HTML Injection
  • OS Command Injection
  • LDAP Injection


The following command can be added to access an account of a user using SQL Injection.

In the password column, type:

abc' OR 1==1 --

The backend SQL command is:

 SELECT * FROM users WHERE email = \$email AND PASSWORD = sha256($password)

Here, when the user adds the value or email and password, the command becomes:

 SELECT * FROM users WHERE email = abc@j.com AND PASSWORD = sha256(abc') OR 1==1 -- )

Since the above command contains 1==1, which is always true, the system grants access to the email, abc@h.comabc@h.com.

How to prevent injection attacks

There are many ways to protect against an Injection flaw:

  • Validation: Check that the input is similar to what is expected, e.g, J<o>hn is not a valid name and, therefore, < and similar characters should not be allowed.
  • Encode: Certain characters such as ' are allowed within names. Thus, these characters should be encoded before transmitting to the back end, e.g., John O’Leary must be transmitted as John O%27Leary if URL encoding is used. This would ensure that the database does not treat ' as an ending quote, but rather as a string. However, it is important to decode the string before it’s displayed on the screen.
  • Tools: Make use of prepared statements that prevent such attacks. These statements are applicable in java, PHP, SQL, and many other languages. The following suggests how to use Prepared Statements.
String name = request.getParameter("name");
String query = "SELECT account_balance FROM users WHERE username = ?";
PreparedStatement a = connection.prepareStatement(query);
a.setString (1, name);

This automatically applies validation on usernames and prevents any invalid characters. The syntax also prevents hackers from gaining access to other unauthorized information.



View all Courses

Keep Exploring