Command injection is an attack method in which a hacker alters dynamically generated content on a Web page by entering HTML code into an input mechanism, such as a form field that lacks effective validation constraints. A malevolent hacker (also known as a cracker) can exploit that vulnerability to gain unauthorized access to data or network resources. When users visit an affected Web page, their browsers interpret the code, which may cause malicious commands to execute in the users' computers and across their networks.
Originally known as shell command injection, the process was accidentally discovered in 1997 by a programmer in Norway. The first command injection resulted in the unintended deletion of Web pages from a site, removed as easily as files from a disk or hard drive.
The most common form of command injection is known as SQL command injection or simply SQL injection, a security exploit in which a cracker adds SQL (Structured Query Language) code to a Web form input box to gain access to resources or make changes to data.