Home › BCA Cyber Security › cybersecurity › Web Security — OWASP › SQL INJECTION (SQLi) is a vulnerability where an…
SQL INJECTION (SQLi) is a vulnerability where an attacker
Aguesses the database password
Binserts malicious SQL via user input
Cphysically steals the database server
DDDoSes the database
Answer & Solution
Correct answer: B. inserts malicious SQL via user input
1. SQL INJECTION: when application code builds SQL by string-concatenating user input.
2. Example: `SELECT * FROM users WHERE name = '` + userInput + `'`. If userInput = `' OR '1'='1`, the query becomes `... WHERE name = '' OR '1'='1'` — returns all rows.
3. PRIMARY MITIGATION: PARAMETERISED QUERIES (prepared statements). User input is passed as a separate parameter, never inlined into SQL string.
4. Secondary mitigations: input validation, least-privilege DB user, web application firewall (WAF).
5. Falls under A03: Injection in OWASP Top 10 2021.
_Source: OWASP Top 10 2021 — A03: Injection._
Related questions
What does HTTPS provide over plain HTTP?Which OWASP category covers using libraries with KNOWN CVEs?OWASP recommends LOGGING and MONITORING for the SECURITY LIFECYCLE becauseAn IDOR (Insecure Direct Object Reference) attack happens whenCROSS-SITE REQUEST FORGERY (CSRF) is best mitigated byWhich mitigation is the SINGLE most effective defense against SQL Injection?SERVER-SIDE REQUEST FORGERY (SSRF) — A10 in OWASP 2021 — happens whenWhat does the SECURITY MISCONFIGURATION category (A05 in 2021) typically include?