An injection attack is one of the most common attacks in the field of web security. We have mentioned in Chapter 3 that XSS in essence is also an HTML injection attack. In Chapter 1, We propose a security design principle—a data and code separation principle, it can be said, is born to address injection attacks.
The nature of the injection attack is that of the data entered by the user as code execution. There are two key conditions: The first is that users can control the input; the second is that the original program code to be executed is joined with data input by users. In this chapter, we will talk about several common injection attacks as well as defensive approaches.
7.1 SQL Injection Attacks
Developers today ...