Command injection is an attack method in which a hacker alters dynamically generated content on a Web page by entering HTML code into an input mechanism, such as a form field that lacks effective validation constraints. A malevolent hacker (also known as a cracker) can exploit that vulnerability to gain unauthorized access to data or network resources. When users visit an affected Web page, their browsers interpret the code, which may cause malicious commands to execute in the users' computers and across their networks.
By submitting your email address, you agree to receive emails regarding relevant topic offers from TechTarget and its partners. You can withdraw your consent at any time. Contact TechTarget at 275 Grove Street, Newton, MA.
Originally known as shell command injection, the process was accidentally discovered in 1997 by a programmer in Norway. The first command injection resulted in the unintended deletion of Web pages from a site, removed as easily as files from a disk or hard drive.
The most common form of command injection is known as SQL command injection or simply SQL injection, a security exploit in which a cracker adds SQL (Structured Query Language) code to a Web form input box to gain access to resources or make changes to data.