Welcome to the second post in my series on secure development issues. This week's topic is injection flaws, including SQL and command injection. The most common types of web application injection flaws include:

1. Database systems: SQL injection (e.g. 1=1)
2. Script languages such as Perl, Python, JavaScript
3. Shells for external commands (e.g. ; rm -rf /)
4. Calls to the operating system via system calls
5. Path traversal in file names (e.g. ../../etc/passwd)

Let's look at an example of a typical SQL injection attack: Let's say a developer writes the following Java code to build an SQL query to authenticate users.

var query = "SELECT * FROM users WHERE user = '" + username + "' AND password = '" + pwdHash + "'";

If an attacker enters the following into the input form, he can bypass authentication completely: