Submitted via IRC for soycow1984
They may not grab the most headlines, but injection attacks are the most common threats targeting organizational networks, according to IBM MSS data.
The facts are clear. According to IBM X-Force analysis of IBM Managed Security Services (MSS) data, injection attacks are the most frequently employed mechanism of attack against organizational networks. In fact, for the period assessed (January 2016 through June 2017), injection attacks made up nearly half — 47 percent — of all attacks. The most common types were operating system command injection (OS CMDi) and SQL injection (SQLi). Injection attacks versus all attacks. Figure 1: Injection attacks versus all attacks (Source: IBM Managed Security Services data).
Attackers take advantage of injection vulnerabilities in operating systems and applications to penetrate critical web servers and access back-end databases. From using malicious webshells to planting cryptocurrency mining tools or malicious PHP scripts, there are many ways in which cybercriminals can use injection attacks to reach their end goal.
(Score: 0) by Anonymous Coward on Thursday November 09 2017, @08:42AM
I'd go as far as to say that if trusting or not trusting something anything entered by the user is even relevant, you are doing it wrong.
Thus your first and second point become moot.
The rule should be "never mix code and data". Your third point is a less general form of this.