Injection attacks insert malicious code into interpreters — SQL (database), LDAP (directory), OS command (shell), XML/XPath (XML parsers), NoSQL.
Injection = consistently top 1-3 in OWASP Top 10. Root cause: user input concatenated directly into commands/queries. Universal fix: parameterized queries/prepared statements for SQL; input validation + escaping for others.