), LDAP injection — any interface where data and code share the same channel.\nGo deeper:\n\n CWE-89: SQL Injection (MITRE) — the data-becomes-code weakness behind the Robert'; DROP TABLE example.\n\n", "dateModified": "2026-07-05T08:49:35+00:00" } } }

LOGBOOK

HELP

Quiz Entry - updated: 2026.07.05

How can malicious data be injected through interfaces?

The attacker hides executable code inside normal-looking data; the app forwards it to a backend that interprets it as instructions rather than inert data.

Input "Robert'; DROP TABLE users; --" concatenated into a query and parsed as two statements — data read as code.

* Injection as data-becomes-code — input meant as data is interpreted as commands once it crosses the interface. *

Concrete example — SQL Injection:

User enters:    Robert'; DROP TABLE users; --
                ^^^^^^^^  ^^^^^^^^^^^^^^^^^^^^
                 data      hidden payload (SQL code)

App builds:     "SELECT * FROM users WHERE name='Robert'; DROP TABLE users; --'"
                                          ^^^^^^^^^^^^^^  ^^^^^^^^^^^^^^^^^^^^^
                                          valid query     injected command!

Database sees:  Two valid SQL statements → executes both

Why this works: The interface (SQL) uses the same characters (', ;) for data delimiters and command separators. The attacker's input crosses the boundary from "data" to "code" because the application doesn't enforce the boundary.

Same pattern applies to: Command injection (;rm -rf /), XSS (<script>...</script>), LDAP injection — any interface where data and code share the same channel.

Go deeper:

From Quiz: SPRG / Security Review | Updated: Jul 05, 2026