CISSP Question #689: Real Exam Question with Answer & Explanation

The correct answer is D: Use stored procedures.. SQL injection attacks exploit unsanitized user input to manipulate database queries. The best defense is using stored procedures, which separate code from data and prevent malicious input from altering query logic.

Submitted by chen.hong· Mar 5, 2026Software Development Security

Question

Which of the following is the BEST way to protect against Structured Query language (SQL) injection?

Options

AEnforce boundary checking.
BRatfrict um of SELECT command.
CRestrict HyperText Markup Language (HTML) source code
DUse stored procedures.

Explanation

SQL injection attacks exploit unsanitized user input to manipulate database queries. The best defense is using stored procedures, which separate code from data and prevent malicious input from altering query logic.

Common mistakes.

A. Boundary checking addresses buffer overflow vulnerabilities by validating the size of input, but it does not prevent malicious SQL metacharacters or syntax from being injected into a query.
B. Restricting the SELECT command alone is insufficient because SQL injection can exploit INSERT, UPDATE, DELETE, and other statements, and attackers can still manipulate logic within permitted commands.
C. Restricting HTML source code is a client-side measure that addresses cross-site scripting (XSS) concerns, not SQL injection, which occurs at the database layer regardless of HTML output.

Concept tested. Preventing SQL injection using stored procedures

Reference. https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html

Topics

#SQL injection#secure coding#stored procedures#application security

Community Discussion

No community discussion yet for this question.

Full CISSP Practice Browse All CISSP Questions