CISSP · Question #689
Which of the following is the BEST way to protect against Structured Query language (SQL) injection?
The correct answer is D. Use stored procedures.. SQL injection attacks exploit unsanitized user input to manipulate database queries. The best defense is using stored procedures, which separate code from data and prevent malicious input from altering query logic.
Question
Options
- AEnforce boundary checking.
- BRatfrict um of SELECT command.
- CRestrict HyperText Markup Language (HTML) source code
- DUse stored procedures.
How the community answered
(28 responses)- A11% (3)
- B4% (1)
- C4% (1)
- D82% (23)
Why each option
SQL injection attacks exploit unsanitized user input to manipulate database queries. The best defense is using stored procedures, which separate code from data and prevent malicious input from altering query logic.
Boundary checking addresses buffer overflow vulnerabilities by validating the size of input, but it does not prevent malicious SQL metacharacters or syntax from being injected into a query.
Restricting the SELECT command alone is insufficient because SQL injection can exploit INSERT, UPDATE, DELETE, and other statements, and attackers can still manipulate logic within permitted commands.
Restricting HTML source code is a client-side measure that addresses cross-site scripting (XSS) concerns, not SQL injection, which occurs at the database layer regardless of HTML output.
Stored procedures are precompiled SQL code stored in the database that accept parameters as data, not executable code, meaning user-supplied input cannot alter the query's logic or structure. Because the SQL statement is defined in advance and parameters are strongly typed, even malicious input like ' OR '1'='1 is treated as a literal string rather than SQL syntax. This parameterization technique is the most robust and widely recommended defense against SQL injection.
Concept tested: Preventing SQL injection using stored procedures
Source: https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html
Topics
Community Discussion
No community discussion yet for this question.