[转载]The Essence of Command Injection Attacks in Web Applications

信息来源：邪恶八进制信息安全团队（www.eviloctal.com）

This paper presents the first formal definition of command injection attacks in the context of web applications, and gives a sound and complete algorithm for preventing them based on context-free grammars and compiler parsing techniques. Our key observation is that, for an attack to succeed, the input that gets propagated into the database query or the output document must change the intended syntactic structure of the query or document.