GCIH · Question #785
Analyze the included screenshot. What is a best practice to mitigate against this type of event?
The correct answer is C. Utilize parameterized queries in the source code. The screenshot depicts a SQL injection attack, and parameterized queries (prepared statements) are the industry-standard defense because they structurally separate code from data.
Question
Analyze the included screenshot. What is a best practice to mitigate against this type of event?
Options
- ABlock outgoing SNMP traffic from the webserver to the Internet
- BInclude client-side filtering of semi-colons and commas
- CUtilize parameterized queries in the source code
- DFilter non-alphanumeric or period characters at the server
How the community answered
(40 responses)- A8% (3)
- B15% (6)
- C73% (29)
- D5% (2)
Why each option
The screenshot depicts a SQL injection attack, and parameterized queries (prepared statements) are the industry-standard defense because they structurally separate code from data.
Blocking outgoing SNMP traffic is unrelated to SQL injection, which is an application-layer vulnerability in the web server, not a network protocol issue.
Client-side filtering is trivially bypassed by an attacker who intercepts requests with a proxy tool, making it an ineffective defense against SQL injection.
Parameterized queries force the database engine to treat user-supplied input strictly as data values and never as executable SQL syntax, eliminating the possibility of injection regardless of the input content. This server-side defense in the source code is more robust than any input filtering approach because it addresses the root cause - the mixing of code and data.
Blocking non-alphanumeric characters at the server is an incomplete blocklist approach that can break legitimate inputs and may still miss injection vectors using encoded or alternative syntax.
Concept tested: SQL injection prevention using parameterized queries
Source: https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html
Topics
Community Discussion
No community discussion yet for this question.