Security Risk of Injection
Injection happens any time a developers takes untrusted information, such as request.getParameter(), request.getCookie(), or request.getHeader(), and uses it in a command interface. For example, SQL injection happens if you concatenate untrusted data into a regular SQL query, like
Developers should use PreparedStatement to keep attackers from changing the meaning of queries and taking over database hosts.
There are many other types of injection such as Command Injection, LDAP Injection, and Expression Language (EL) Injection, and all of them are devastatingly dangerous, so be careful when sending data to these interpreters.