Injection
Injection flaws occur when untrusted data is sent to an interpreter as part of a command or query. This can lead to attackers executing unintended commands or accessing unauthorized data.
# Vulnerable code
username = request.getParameter("username")
password = request.getParameter("password")
query = "SELECT * FROM users WHERE username='" + username + "' AND password='" + password + "'"
result = executeQuery(query)
# Secure code (using parameterized queries or prepared statements)
username = request.getParameter("username")
password = request.getParameter("password")
query = "SELECT * FROM users WHERE username=? AND password=?"
result = executeQuery(query, [username, password])Last updated