Common injection types

• SQL Injection (SQLi) — manipulate SQL queries (' OR '1'='1).

• NoSQL Injection — e.g., MongoDB queries built from user input.

• Command Injection / OS Injection — attacker injects shell commands (; rm -rf /).

• LDAP / XPath Injection — break directory or XML queries.

• Template/Server-Side Template Injection (SSTI) — inject template expressions that execute code.

• ORM Injection — misuse of ORM APIs that accept raw expressions.

Impact

• Data leakage (read arbitrary data).

• Data modification or deletion.

• Authentication bypass.

• Remote command execution and server takeover.

• Lateral movement inside networks.

Core mitigations (applied in order of priority)

1. Use parameterized queries / prepared statements

   • Never build SQL with string concatenation.

2. Use safe APIs (ORM parameter binding, query builders)

   • Use library binding features instead of raw SQL.

3. Use allowlists (whitelisting) for input that controls logic

   • For sort fields, column names, command options — map user input to safe internal values.

4. Avoid interpreters where possible

   • Don’t call the shell; use native APIs.

5. Escape only when parameterization is impossible

   • Escaping is error-prone; treat as last resort.

6. Least privilege for DB and OS

   • DB accounts should have only required permissions.

7. Disable dangerous features

   • E.g., disable eval, JS execution in template engines, stored procedures that execute OS commands.

8. Output encoding for user data used in different contexts

   • HTML encode for HTML, URL-encode for URLs, etc.

9. Input validation for expected formats

   • Use strict checks (regex, types); prefer allowlists.

10. Logging & monitoring

    • Detect anomalies, repeated failed queries, suspicious input patterns.

11. Automated testing & security scanners

    • Run sqlmap, Burp Suite, OWASP ZAP; include injection tests in CI.