Home › BCA Cyber Security › cybersecurity › Web Security — OWASP › Which mitigation is the SINGLE most effective de…
Which mitigation is the SINGLE most effective defense against SQL Injection?
ARegular database backups
BWeb Application Firewall (WAF)
CParameterised queries (prepared statements)
DStrong passwords
Answer & Solution
Correct answer: C. Parameterised queries (prepared statements)
1. PARAMETERISED QUERIES (prepared statements): user input is passed to the database driver as a separate PARAMETER from the SQL statement.
2. The driver never CONCATENATES the user input into the SQL string — so a malicious payload like `' OR '1'='1` is treated as a literal value, not as SQL syntax.
3. Available in every modern language/DB: e.g. `cursor.execute('SELECT * FROM u WHERE name=?', (name,))` in Python, `PreparedStatement` in Java, parameterised queries in node-postgres.
4. Backups (A) help recovery but don't prevent SQLi. WAF (B) is a USEFUL second layer but bypass-able. Strong passwords (D) are unrelated.
5. Even if a developer makes a mistake, parameterisation is structural — no string concat = no SQLi.
_Source: OWASP Top 10 2021 — A03 mitigations + OWASP Injection Prevention Cheat Sheet._
Related questions
What does HTTPS provide over plain HTTP?Which OWASP category covers using libraries with KNOWN CVEs?OWASP recommends LOGGING and MONITORING for the SECURITY LIFECYCLE becauseAn IDOR (Insecure Direct Object Reference) attack happens whenCROSS-SITE REQUEST FORGERY (CSRF) is best mitigated bySERVER-SIDE REQUEST FORGERY (SSRF) — A10 in OWASP 2021 — happens whenWhat does the SECURITY MISCONFIGURATION category (A05 in 2021) typically include?The OWASP 2021 category A04 'INSECURE DESIGN' is a NEW category that addresses