When reviewing the source code of a web application, you come across a function that interacts directly with the database using user-supplied input without proper sanitation. Which of the following practices is the BEST to recommend to the development team to mitigate the risk associated with this kind of vulnerability?
Encrypting user input before including it in database queries
Use parameterized queries for database access
Client-side input validation
Employ input length restrictions for all user-supplied input fields
The correct answer is C, 'Use parameterized queries,' because this technique prevents the database layer from distinguishing between the code and the data, regardless of the user input. This makes it very effective in preventing injection attacks, as it ensures that user input cannot interfere with the query structure. Option A, 'Client-side input validation,' is not effective by itself because attackers can bypass client-side controls. Option B, 'Encrypting user input,' doesn't prevent injection, as the malicious input would still be executed if decrypted for processing. Option D, 'Employing input length restrictions,' can help to some extent but doesn't address the fundamental problem that the user input may be interpreted as code.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What are parameterized queries and how do they work?
Open an interactive chat with Bash
What are the risks of not sanitizing user input?
Open an interactive chat with Bash
Why is client-side input validation not sufficient on its own?