Injection

Inserting malicious input that the system mistakenly interprets as code or commands.

Injection happens when untrusted input is interpreted as code or commands — SQL injection (database), command injection (OS shell), and LDAP injection are the classic forms. The root cause is mixing data with code; the fix is to separate them with parameterized queries / prepared statements, plus input validation and least-privilege service accounts as defense-in-depth. Injection topped the OWASP Top 10 for years (No. 1 on the 2010, 2013, and 2017 lists) and still makes the 2025 list at A05 because it’s both common and high-impact.

Related terms

Back to Threats, Vulnerabilities, and Mitigations