The system must use parameterized queries or stored procedures to create dynamic sentences (e.g., java.sql.PreparedStatement).
CAPEC-7: Blind SQL Injection: Blind SQL Injection results from an insufficient mitigation for SQL Injection. Blind SQL Injection is a form of SQL Injection that overcomes the lack of error messages.
CAPEC-248: Command Injection: An adversary looking to execute a command of their choosing, injects new items into an existing command thus modifying interpretation away from what was intended.
CWE-89: SQL Injection: The software constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command.
OWASP Top 10 A1:2017-Injection: Injection flaws, such as SQL, NoSQL, OS and LDAP injection, occur when untrusted data is sent to an interpreter as part of a command or query. The attacker's hostile data can trick the interpreter into executing unintended commands or accessing data without proper authorization.
OWASP-ASVS v4.0.1 V5.3 Output encoding and Injection Prevention Requirements.(5.3.4): Verify that data selection or database queries (e.g., SQL, HQL, ORM, NoSQL) use parameterized queries, ORMs, entity frameworks, or are otherwise protected from database injection attacks.
PCI DSS v3.2.1 - Requirement 6.5.1: Address common coding vulnerabilities in software-development processes such as injection flaws, particularly SQL injection. Also consider OS Command Injection, LDAP and XPath injection flaws as well as other injection flaws.