"Software written in one language often needs to construct sentences in another language, such as
SQL queries, XML output, or shell command invocations. This is almost always done using unhygienic
string manipulation, the concatenation of constants and client-supplied strings. A client can then supply
specially crafted input that causes the constructed sentence to be interpreted in an unintended way,
leading to an injection attack. We describe a more natural style of programming that yields code that
is impervious to injections by construction. Our approach embeds the grammars of the guest languages
(e.g., SQL) into that of the host language (e.g., Java) and automatically generates code that maps the
embedded language to constructs in the host language that reconstruct the embedded sentences, adding
escaping functions where appropriate. This approach is generic, meaning that it can be applied with
relative ease to any combination of host and guest languages."
The paper Preventing Injection Attacks with Syntax Embeddings, A Host and Guest Language Independent Approach
by Martin Bravenboer, Eelco Dolstra, and Eelco Visser has been accepted at GPCE'07.