A security team is reviewing a web application that allows users to search for products. The application uses a SQL database and constructs queries by concatenating user input directly into the SQL statement. Which of the following is the most effective mitigation against SQL injection attacks?
Trap 1: Escaping all user input before concatenation
Escaping can be error-prone and may not cover all cases.
Trap 2: Input validation using a blacklist of known malicious patterns
Blacklisting is often incomplete and can be bypassed.
Trap 3: Implementing a Web Application Firewall (WAF)
WAF provides detection but not comprehensive prevention.
- A
Using parameterized queries with prepared statements
Parameterized queries separate SQL code from data, preventing injection.
- B
Escaping all user input before concatenation
Why wrong: Escaping can be error-prone and may not cover all cases.
- C
Input validation using a blacklist of known malicious patterns
Why wrong: Blacklisting is often incomplete and can be bypassed.
- D
Implementing a Web Application Firewall (WAF)
Why wrong: WAF provides detection but not comprehensive prevention.