nerdexam
GIAC

GCIH · Question #785

Analyze the included screenshot. What is a best practice to mitigate against this type of event?

The correct answer is C. Utilize parameterized queries in the source code. The screenshot depicts a SQL injection attack, and parameterized queries (prepared statements) are the industry-standard defense because they structurally separate code from data.

Web Application Attacks & Post-Exploitation

Question

Analyze the included screenshot. What is a best practice to mitigate against this type of event?

Options

  • ABlock outgoing SNMP traffic from the webserver to the Internet
  • BInclude client-side filtering of semi-colons and commas
  • CUtilize parameterized queries in the source code
  • DFilter non-alphanumeric or period characters at the server

How the community answered

(40 responses)
  • A
    8% (3)
  • B
    15% (6)
  • C
    73% (29)
  • D
    5% (2)

Why each option

The screenshot depicts a SQL injection attack, and parameterized queries (prepared statements) are the industry-standard defense because they structurally separate code from data.

ABlock outgoing SNMP traffic from the webserver to the Internet

Blocking outgoing SNMP traffic is unrelated to SQL injection, which is an application-layer vulnerability in the web server, not a network protocol issue.

BInclude client-side filtering of semi-colons and commas

Client-side filtering is trivially bypassed by an attacker who intercepts requests with a proxy tool, making it an ineffective defense against SQL injection.

CUtilize parameterized queries in the source codeCorrect

Parameterized queries force the database engine to treat user-supplied input strictly as data values and never as executable SQL syntax, eliminating the possibility of injection regardless of the input content. This server-side defense in the source code is more robust than any input filtering approach because it addresses the root cause - the mixing of code and data.

DFilter non-alphanumeric or period characters at the server

Blocking non-alphanumeric characters at the server is an incomplete blocklist approach that can break legitimate inputs and may still miss injection vectors using encoded or alternative syntax.

Concept tested: SQL injection prevention using parameterized queries

Source: https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html

Topics

#SQL injection mitigation#parameterized queries#input validation#secure coding

Community Discussion

No community discussion yet for this question.

Full GCIH Practice