Application Security · Flashcard

How should an application prevent SQL injection?

  • AUse parameterized queries with bind variables — never building SQL by string concatenation
  • BEscape quotes and special characters in the input — before concatenating it into the SQL
  • CStrip SQL keywords such as SELECT and DROP — out of every value that the user submits
  • DRun the database account with read-only rights — so injected queries cannot modify data

Why this is the answer

Bind variables keep input as data so it cannot alter query structure (CWE-89) — manual escaping is incomplete and bypassable, keyword-stripping breaks valid input and misses encodings, and read-only rights limit impact but do not stop injection or data theft.

Official docs
Study in Gnoseed →