An injection attack is where information supplied within a table entry box or upload file is used for malicious purposes - for example, if a user enters his name as fred'; drop database test; etc ...
and finds that the script he has contacted inserts the text entered into a database query. Possible injection attacks include:
* HTML, where an abuser fills in tags into a data entry box. Leads to poorly displayed information when the tags are echoed back to his (or other users) pages. Solution - htmlspecialchars
* Variable seeding, where an abuser adds an extra box to the HTML source and initialises one of your variables that you have failed to initialise in your code. Scripts which are easily accessible in source form are prone to this form of attack if poorly written, but only if you're running PHP4.0 or earlier, or if you've set register globals
* SQL, where SQL is entered into a box - my example in the into paragraph shows an SQL attack example although I haven't given you the complete code. Once again, these attacks are much more likely to succeed on scripts where the source code is commonly available.
* File name, where the user's input is taken as being a file name or the basis of one. If I enter my name as "../graham", for example. I you must take the user's input to form a file name, filter it carefully!
* Email header, where a subject line or recipient can be specificed that's used as extra parameters to the mail()
function. Subject lines that include a new line character can be used to add a "cc" to "bcc" header unless you check it, and if your email script does not email you each time it's used, then you can be unaware that your site is being used to send out unsolicited material for years!
Associated topics are indexed as below, or enter http://melksh.am/nnnn for individual articlesH117 - Security in PHP 
Spotting a denial of service attack - (2005-06-12) 
Robust checking of data entered by users - (2005-08-27) 
A lion in a cage - PHP - (2006-11-10) 
What is an SQL injection attack? - (2006-11-27) 
Learning to write secure, maintainable PHP - (2007-01-25) 
Easy handling of errors in PHP - (2007-08-27) 
Error logging to file not browser in PHP - (2007-10-11) 
Using PHP to upload images / Store on MySQL database - security questions - (2007-10-19) 
A story about benchmarking PHP - (2007-12-23) 
Are nasty programs looking for security holes on your server? - (2008-02-17) 
PHP - Sanitised application principles for security and useability - (2008-06-16) 
Defensive coding techniques in PHP? - (2008-07-02) 
Who is watching you? - (2008-08-10) 
Injection Attacks - avoiding them in your PHP - (2008-08-31) 
Injection Attack if register_globals in on - PHP - (2009-02-04) 
Security considerations in programming - what do we teach? - (2010-03-22) 
Protecting your images from use out of context - (2010-08-29) 
Catchable fatal error in PHP ... How to catch, and alternative solutions such as JSON - (2011-03-22) 
How to stop forms on other sites submitting to your scripts - (2012-04-15) 
An easy way to comply with the new cookie law if your site is well designed - (2012-06-02) 
A small teaching program - demonstration of principles only - (2016-02-08)
Some other Articles
Too many instructions, too much detailPlaying old gamesWhy use BBC code not HTML?Telling a story in different waysInjection attacks - safeguard your PHP scriptsLawrence Webb's Melksham Taxi serviceWriting terms and conditions for conferences and other eventsBehind the scenesStraight from the .jarCustomer takes over class, and I am delighted