# Overview - Injection vulns are one of the  [OWASP's Top 10 Web App Risks](https://owasp.org/www-project-top-ten/) based on impact and frequency - Most common injection types |Injection|Description| |---|---| |OS Command Injection|Occurs when user input is directly used as part of an OS command.| |Code Injection|Occurs when user input is directly within a function that evaluates code.| |SQL Injections|Occurs when user input is directly used as part of an SQL query.| |Cross-Site Scripting/HTML Injection|Occurs when exact user input is displayed on a web page.| # OS Command Injections from Web App ## PHP -  A web app written in `PHP` may use the `exec`, `system`, `shell_exec`, `passthru`, or `popen` functions to execute commands directly on the back-end server - Example with the `system` function ```php <?php if (isset($_GET['filename'])) { system("touch /tmp/" . $_GET['filename'] . ".pdf"); } ?> ``` ## NodeJS -  A web app developed in `NodeJS` may use `child_process.exec` or `child_process.spawn` for the same purpose as above - Example with `child_process.exec` ```javascript app.get("/createfile", function(req, res){ child_process.exec(`touch /tmp/${req.query.filename}.txt`); }) ```