Many programs accept data from untrusted sources, and then pass the (modified or unmodified) data to some subsystem. Often the data is in the form of a string with some internal syntactic structure, and which the subsystem must parse the string.
Such data must be sanitized, both because the subsystem may be unprepared to handle the malformed input, and also because unsanitized input may include an injection attack.
As a result, it is necessary to Consequently, programs must sanitize all string data that is passed to parsers or command interpreters so that the resulting string is innocuous in the context in which it will be parsed or interpreted.
...
To comply with guideline MSC05-J. Store passwords using a hash function, the passwords would have to must be hashed. Unfortunately, on many small systems , they are not, and so fail to comply; consequently, the password text added in the query string would precisely match precisely what the user enters. An attacker could supply a string for <PASSWORD> such as:
...