When data crosses into a system that interprets structure, without being constrained or transformed, it becomes executable.
Untrusted input is concatenated directly into a structured language (SQL, shell, LDAP)
If user input appears inside a query, command, template, object stream, or prompt without an intermediate representation that separates data from structure — you are not passing data. You are modifying structure.
Every new execution context recreates this pattern. SQL gave way to NoSQL, HTML to templates, cookies to JWTs, forms to APIs, prompts to agents. The language changes. The failure does not.
Buffer overflow was the original boundary collapse (1970s memory). SQL injection is the same mechanic in a higher-level execution context (1990s web)
Same boundary collapse — SQL targets the database layer, XSS targets the presentation layer
Both collapse the boundary between data and structure through delimiter/syntax confusion
Both allow untrusted input to become executable — one through string concatenation, one through object instantiation
SQL injection concatenates data into queries. Prompt injection concatenates data into instructions. The language changed. The failure did not
A poisoned dependency can introduce any vulnerability — supply chain compromise is a meta-pattern that delivers other patterns
Dead code conceals vulnerabilities — a deprecated code path with SQL injection survives because no one dares remove it
Year
1997–2002
Context
The web arrived faster than secure coding practices did. A generation of developers learned PHP from tutorials that showed string concatenation as the natural way to build queries. The threat model was vague — "hackers" were a distant abstraction. The immediate problem was getting the product to ship.
Who Built This
Self-taught web developers, often working alone, often under deadline. They learned from each other. The pattern propagated through copy-paste.
Threat Model at Time
Physical server security. Password on the admin panel. SSL on checkout. Nobody had formalized the concept of input as an attack vector.
Why It Made Sense
String concatenation was how you built everything else. It felt natural. It worked in testing. The tutorial showed it this way.
This pattern has been found in applications built by talented developers at respected organizations across every decade of software history. Its presence in a codebase is not a reflection of the developer who wrote it — it is a reflection of what that developer was taught, what tools they had, and the path that was easiest given what they were taught. The goal is not to find fault. The goal is to find the pattern — before it finds you.
Katie's Law: The developers were not wrong. The shortcut was not wrong. The context changed and the shortcut didn't.