Injection happens when user inputted data is treated as part of an OS command or part of a query - usually through string concatenation.
As developers, we need to apply appropriate controls. Strict input validation is always recommended but in addition, we need to do one or more of the following to prevent injection in various parts of our apps:
- parameterize queries
- decouple user input from real file system paths
- use shell encoding
Injection resources include: