Theoretically LispInjection could be to lisp-driven applications what SqlInjection is to databases-- a common programming error that results in security holes. LispInjection could happen if the application allows a user to enter values (such as via a form) that the application concatenates into a string containing a Lisp statement that is later "run as code", after all an important part of Lisp philosophy is that "code is data and data is code".

Is this possible? Does it actually happen in real production systems? Are there practices and recommendations to avoid this theoretical security risk?

''I'd guess that quoting is such an ingrained routine for a LispHacker that incorrect handling of external data is seldom observed in practice.''

Is it? or is it just that the number of LispInjection attacks is very little because Lisp is not as popular as SQL

----

''Even more interesting would be techniques for avoiding this, such as parsing libraries to take input text and verify its safety.  Does anything like PerlTaintMode exist in any versions of Lisp? -- RobertField''