An attacker can craft special user-controllable input consisting of XPath
						expressions to inject the XML database and bypass authentication or glean
						information that he normally would not be able to. XPath Injection enables
						an attacker to talk directly to the XML database, thus bypassing the
						application completely. XPath Injection results form the failure of an
						application to properly sanitize input used as part of dynamic XPath
						expressions used to query an XML database. In order to successfully inject
						XML and retrieve information from a database, an attacker: