Injection Attacks. This can be broadly classified in to two major kinds. SQL injection and Command Injection. SQL Injection : Occurs when the user input is passed to SQL queries. And as a result, the attacker can access the database and do what ever he want. He can manipulate the tables, delete etc. Command Injection : This occurs when user input is passed to the the target system as system commands. The attacker is able to execute arbitrary system commands on application servers. The best way to prevent injection attacks is ensuring that user controlled input is not interpreted as queries or commands. Or simply known as input validation. This can be done in different ways: Using an allow list: when a user input is sent to the target server, this input is compared to a list of safe input or characters. If the input is marked as safe, then it is processed. Stripping input: If the input contains suspicious characters, these characters are stripped off before they are processed.