How can malicious data be injected through interfaces?
The attacker hides executable code inside normal-looking data; the app forwards it to a backend that interprets it as instructions rather than inert data.
* Injection as data-becomes-code — input meant as data is interpreted as commands once it crosses the interface. *
Concrete example — SQL Injection:
User enters: Robert'; DROP TABLE users; --
^^^^^^^^ ^^^^^^^^^^^^^^^^^^^^
data hidden payload (SQL code)
App builds: "SELECT * FROM users WHERE name='Robert'; DROP TABLE users; --'"
^^^^^^^^^^^^^^ ^^^^^^^^^^^^^^^^^^^^^
valid query injected command!
Database sees: Two valid SQL statements → executes both
Why this works: The interface (SQL) uses the same characters (', ;) for data delimiters and command separators. The attacker's input crosses the boundary from "data" to "code" because the application doesn't enforce the boundary.
Same pattern applies to: Command injection (;rm -rf /), XSS (<script>...</script>), LDAP injection — any interface where data and code share the same channel.
Go deeper:
CWE-89: SQL Injection (MITRE) — the data-becomes-code weakness behind the Robert'; DROP TABLE example.