A development team wants to allow users to search orders by customer name and date range. Logs show the team currently concatenates the filter values into SQL strings. Which change best reduces SQL injection risk without removing the search feature?

Escape apostrophes in the input before building the SQL statement.

Manual escaping is fragile and often misses edge cases, encodings, and alternate injection paths.

Disable database error messages so attackers cannot see query details.

Hiding errors reduces information leakage but does not stop the injection vulnerability from existing.

Place the application behind a VPN so only internal users can run searches.

Restricting network access lowers exposure, but insiders or compromised accounts could still inject SQL.

What does this SY0-701 question test?

Static NAT maps one inside address to one outside address.

What is the correct answer to this question?

The correct answer is: Use parameterized queries or prepared statements for the search filters. — Parameterized queries or prepared statements are the best fix because they keep user input separate from SQL logic. That prevents injected characters or clauses from changing the intended query structure. This approach preserves the search feature while removing the unsafe string-concatenation pattern that creates SQL injection risk. It is stronger than filtering or hiding errors and is the standard remediation for this flaw. Why others are wrong: Escaping characters by hand is incomplete and frequently broken by encoding or logic mistakes. Disabling database errors can reduce leakage, but the injection vulnerability remains exploitable. Putting the app behind a VPN narrows access, yet it does not fix the code flaw and still leaves trusted users or compromised internal systems able to attack it.

What should I do if I get this SY0-701 question wrong?

Then try more questions from the same exam bank and focus on understanding why the wrong options are tempting.