Practice free →
HomeBCA Cyber SecuritycybersecurityWeb Security — OWASP › Which mitigation is the SINGLE most effective de…

Which mitigation is the SINGLE most effective defense against SQL Injection?

ARegular database backups
BWeb Application Firewall (WAF)
CParameterised queries (prepared statements)
DStrong passwords
Answer & Solution
Correct answer: C. Parameterised queries (prepared statements)
1. PARAMETERISED QUERIES (prepared statements): user input is passed to the database driver as a separate PARAMETER from the SQL statement. 2. The driver never CONCATENATES the user input into the SQL string — so a malicious payload like `' OR '1'='1` is treated as a literal value, not as SQL syntax. 3. Available in every modern language/DB: e.g. `cursor.execute('SELECT * FROM u WHERE name=?', (name,))` in Python, `PreparedStatement` in Java, parameterised queries in node-postgres. 4. Backups (A) help recovery but don't prevent SQLi. WAF (B) is a USEFUL second layer but bypass-able. Strong passwords (D) are unrelated. 5. Even if a developer makes a mistake, parameterisation is structural — no string concat = no SQLi. _Source: OWASP Top 10 2021 — A03 mitigations + OWASP Injection Prevention Cheat Sheet._
Solve this in the app — BCA Cyber Security practice & 24k+ MCQs →
Related questions