Back to blog

February 7, 2026 2 min read SecBez Team

Injection Vulnerabilities: What Every Developer Should Know

SQL injection, command injection, and path traversal remain the most exploited vulnerability classes. Here is how they appear in modern codebases.

EducationAppSecDetectors

Injection vulnerabilities have topped security risk lists for over a decade. Despite widespread awareness, they still appear in production code because modern frameworks do not eliminate them automatically.

The three injection families

SQL injection

Occurs when user input is concatenated into SQL queries without parameterization.

// Vulnerable
const query = `SELECT * FROM users WHERE email = '${email}'`

// Safe
const result = await db.query('SELECT * FROM users WHERE email = $1', [email])

ORM usage reduces this risk significantly, but raw queries, custom query builders, and dynamic table or column names remain common vectors.

Command injection

Occurs when user input reaches a shell execution function.

// Vulnerable
exec(`convert ${filename} output.png`)

// Safe
execFile('convert', [filename, 'output.png'])

The fix is avoiding shell interpretation entirely. Use execFile or spawn with argument arrays instead of exec with string interpolation.

Path traversal

Occurs when user input controls file system paths without validation.

// Vulnerable
const content = fs.readFileSync(`./uploads/${userInput}`)

// Safe
const safePath = path.resolve('./uploads', userInput)
if (!safePath.startsWith(path.resolve('./uploads'))) throw new Error('Invalid path')

Why these persist

Three reasons injection bugs survive in modern codebases:

  1. Framework escape hatches. Every ORM has a raw query method. Every web framework has a way to bypass template escaping.
  2. Copy-paste patterns. Vulnerable code from Stack Overflow and AI assistants gets copied without review.
  3. Indirect injection. Data flows through multiple functions before reaching a sink, making the vulnerability non-obvious in a single file review.

Detection in pull requests

Automated detection at the PR level catches injection patterns before they reach the default branch. Diff-first scanning focuses the analysis on new code, keeping results relevant and actionable.

The best defense combines automated detection with developer education. Know the patterns. Use the safe alternatives. Let tooling catch the mistakes.