Like buffer overflows in system code, injection attacks have been a dangerous problem in the web world for many years, and like buffer overflows, there are several different types of code injection attacks.
Most recent web applications depend on the use of interpreted programming languages and back-end databases to collect data and generate dynamically driven content to the user. There are many popular interpreted programming languages in use today including PHP, JavaScript, Active Server Pages, SQL, Python, and countless others.
An interpreted language differs from a compiled language because the interpreted language generates machine code just before it is executed. Compiled programming languages need the programmer to compile the source code and generate an executable (.exe) file. In this situation, once the program is compiled, the source code cannot be modified unless it is recompiled and the new executable is redistributed.
Understanding what an interpreted language is and how it works is the key to understanding injection attacks. Understanding that user input will usually be used to build code that is executed on the target system, injection attacks concentrate on submitting, sending, and manipulating user-driven input. The purpose of sending manipulated input or queries to a target is to get the target to execute unintended commands or return unintended information back to the attacker.
The typical example of an injection attack is SQL injection. SQL is a programming language that is used to interact with and manipulate data in a database. Using SQL, a user can read, write, modify, and delete data saved in the database tables.