CISSP · Question #1466
In software development, developers should use which type of queries to prevent a Structured Query Language (SQL) injection?
The correct answer is A. Parameterised. SQL injection attacks occur when untrusted input is concatenated directly into SQL statements. Parameterised queries (also called prepared statements) prevent this by separating SQL code from user-supplied data.
Question
In software development, developers should use which type of queries to prevent a Structured Query Language (SQL) injection?
Options
- AParameterised
- BDynamic
- CStatic
- DControlled
How the community answered
(25 responses)- A88% (22)
- C4% (1)
- D8% (2)
Why each option
SQL injection attacks occur when untrusted input is concatenated directly into SQL statements. Parameterised queries (also called prepared statements) prevent this by separating SQL code from user-supplied data.
Parameterised queries bind user input as typed parameters rather than embedding it directly into the SQL string, so the database engine treats the input strictly as data and never as executable SQL code. This separation ensures that even malicious input containing SQL syntax (e.g., ' OR '1'='1) cannot alter the query's logic, effectively neutralising SQL injection attacks.
Dynamic queries build SQL statements by concatenating user input at runtime, which is precisely the technique that creates SQL injection vulnerabilities rather than preventing them.
Static is not a recognised category of database query construction in the context of SQL injection prevention, and it does not describe the mechanism that neutralises injection attacks.
Controlled is not a defined query type in SQL development practices and has no specific technical meaning related to SQL injection prevention.
Concept tested: Preventing SQL injection with parameterised queries
Source: https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html
Topics
Community Discussion
No community discussion yet for this question.