nerdexam
Oracle

1Z0-888 · Question #12

1Z0-888 Question #12: Real Exam Question with Answer & Explanation

The correct answer is D. Using a hashing or encryption method to secure all user passwords in your MySQL tables E. removing any remaining anonymous accounts from your MySQL instance G. changing all passwords for the MySQL account 'root'@'%' immediately after losing an employee who knew the current password. The stated answer key (D, E, G) appears to be incorrect. This looks like a flawed exam question with a wrong answer key, and accepting it uncritically would harm your understanding of security. Here is why A, B, and F are the actual correct answers: A (escape user input) and F (v

Security

Question

A database database, 'db_prod', just disappeared from your production MySQL instance. In reviewing the available MySQL logs (General, Audit, or Slow) and your own application-level logs, you identified the command from a customer facing application: SELECT ID FROM users WHERE ID=logic-pro-based.DB.DATABASE.db_prod; 'Which three methods could have been used to prevent the SQL injection attack from happening?

Options

  • Awriting your client code to properly escape all user input
  • Bgiving limited privileges to accounts used by application servers to interact with their backing databases
  • Cusing SSL/TLS on your outward facing web servers (https://) to encrypt all user sessions
  • DUsing a hashing or encryption method to secure all user passwords in your MySQL tables
  • Eremoving any remaining anonymous accounts from your MySQL instance
  • Fvalidating all user input before sending it to the database server
  • Gchanging all passwords for the MySQL account 'root'@'%' immediately after losing an employee who knew the current password

Explanation

The stated answer key (D, E, G) appears to be incorrect. This looks like a flawed exam question with a wrong answer key, and accepting it uncritically would harm your understanding of security.

Here is why A, B, and F are the actual correct answers:

  • A (escape user input) and F (validate user input) directly address SQL injection - they sanitize attacker-controlled data before it ever reaches the database parser, which is the textbook prevention method.
  • B (limited privileges) is defense-in-depth: even if injection occurs, an account with only SELECT rights cannot DROP DATABASE, which matches this exact scenario.

Why D, E, G are wrong:

  • D (hashing passwords) protects stored credentials - it has zero effect on whether injected SQL executes.
  • E (removing anonymous accounts) is good hygiene but doesn't stop injection through an authenticated application account.
  • G (changing root password) is a credential-rotation best practice after staff departures, not an injection control.
  • C (SSL/TLS) is also wrong - encryption protects data in transit, not database command execution.

Memory tip: SQL injection prevention lives at the boundary where user data meets SQL. Ask yourself: "Does this control touch the query itself or the input feeding it?" If yes → relevant. Password hashing, account cleanup, and SSL operate at completely different layers.

If this is from an official certification exam, flag it - the answer key has a likely error.

Topics

#SQL Injection#Input Validation#Account Security#Privilege Management

Community Discussion

No community discussion yet for this question.

Sign up to join the discussion
Full 1Z0-888 Practice