nerdexam
(ISC)2

CISSP · Question #1466

In software development, developers should use which type of queries to prevent a Structured Query Language (SQL) injection?

The correct answer is A. Parameterised. SQL injection attacks occur when untrusted input is concatenated directly into SQL statements. Parameterised queries (also called prepared statements) prevent this by separating SQL code from user-supplied data.

Submitted by zhang_li· Mar 5, 2026Software Development Security

Question

In software development, developers should use which type of queries to prevent a Structured Query Language (SQL) injection?

Options

  • AParameterised
  • BDynamic
  • CStatic
  • DControlled

How the community answered

(25 responses)
  • A
    88% (22)
  • C
    4% (1)
  • D
    8% (2)

Why each option

SQL injection attacks occur when untrusted input is concatenated directly into SQL statements. Parameterised queries (also called prepared statements) prevent this by separating SQL code from user-supplied data.

AParameterisedCorrect

Parameterised queries bind user input as typed parameters rather than embedding it directly into the SQL string, so the database engine treats the input strictly as data and never as executable SQL code. This separation ensures that even malicious input containing SQL syntax (e.g., ' OR '1'='1) cannot alter the query's logic, effectively neutralising SQL injection attacks.

BDynamic

Dynamic queries build SQL statements by concatenating user input at runtime, which is precisely the technique that creates SQL injection vulnerabilities rather than preventing them.

CStatic

Static is not a recognised category of database query construction in the context of SQL injection prevention, and it does not describe the mechanism that neutralises injection attacks.

DControlled

Controlled is not a defined query type in SQL development practices and has no specific technical meaning related to SQL injection prevention.

Concept tested: Preventing SQL injection with parameterised queries

Source: https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html

Topics

#SQL injection#Secure coding#Parameterized queries#Web application security

Community Discussion

No community discussion yet for this question.

Full CISSP Practice