Back to Catalog
Owasp Security
top10_2025
A05:2025 - Injection
Hostile data sent to an interpreter to execute unintended commands.
Intent & Description
'
🎯 Intent
Prevent untrusted data from being interpreted as commands or queries by backend systems.
📋 Context
Injection flaws occur when untrusted data is sent to an interpreter as part of a command or query. SQL injection, OS command injection, and LDAP injection remain prevalent attack vectors.
💡 Solution
Use parameterized queries and prepared statements. Validate and sanitize all user inputs. Use ORMs. Apply least privilege to database accounts. Implement input allowlisting where possible.'
Real-world Use Case
Use whenever user-supplied data interacts with interpreters, databases, operating systems, or external services.
📌 TL;DR
Never trust user input. Use parameterized queries, validate inputs, and apply least privilege to prevent injection attacks.
Advantages
- Prevents data theft and corruption
- Blocks command execution attacks
- Protects database integrity
- Reduces risk of system compromise
Disadvantages
- Requires consistent implementation across all inputs
- Legacy code may be difficult to retrofit
- Some injection vectors are subtle