Injection bugs — SQL, OS command, LDAP, NoSQL, XPath, template engines — are not about “bad input validation.” They’re about mixing two languages in one string and letting the attacker supply a mix that changes the grammar. Once you see injection as a grammar problem rather than an input problem, every class of injection becomes the same idea with different syntax.
Why this happens
Developers use string concatenation because it’s the fastest way to build a command. "SELECT * FROM users WHERE id=" + user_id feels natural; it reads like English. But what the database parses is not “a query plus an ID” — it’s one string that the database tokenizes into tokens. If the attacker controls enough of the string to inject tokens of their own, the grammar of the original query changes.
The root assumption is: “I know what SQL I’m writing because I wrote it.” The truth is: the database only knows what SQL it was handed. The user has written part of the SQL by being part of the string.
Parameterized queries (prepared statements) break the injection class because they send the query template and the parameters separately. The database parses the template once, binds parameters second. The parameters cannot become tokens. String concatenation merges the two, and the defence collapses.
How it happens
The mechanism is identical across every injection class — only the target language differs:
- SQL:
' OR 1=1 -- terminates the string, introduces a tautology, comments out the rest. User becomes admin.
- OS command:
; rm -rf /tmp; echo injects a new shell command by terminating the first.
- LDAP:
*)(uid=* introduces a wildcard that matches all users regardless of password.
- NoSQL (Mongo):
{"$gt": ""} as a password value matches any password.
- Template engine (Jinja, Handlebars):
{{7*7}} renders as “49” — proving the attacker reached the template engine, not just HTML. From there, template-scoped methods can lead to RCE.
- Log injection: user-supplied
\n in a log line creates a second log entry that looks legitimate and confuses investigators or log-based alerting.
- Mass assignment (not syntactic but same idea): attacker adds
role=admin field to a JSON body; the framework binds it to the model object.
Each case is the same bug: attacker smuggles tokens into a language they weren’t supposed to contribute to.
🔐 Intermediate Module · Basic Tier
Continue reading with Basic tier (₹499/month)
You've read 25% of this module. Unlock the remaining deep-dive, quiz, and every other Intermediate module.
99+ modulesAll levels up to this tier
20-question quizzesUnlimited retries with explanations
Completion certificatesShareable on LinkedIn
6 more sections locked below
