5 exercises on SQL injection prevention vocabulary.
0 / 5 completed
1 / 5
What is the root cause of SQL injection?
SQL injection: when user input is concatenated into a query string, an attacker can inject SQL syntax (e.g., ' OR 1=1 --) that the database executes, exposing or altering data.
2 / 5
What is the single most effective defense against SQL injection?
Parameterized queries: the SQL structure is sent separately from parameter values, so input is always treated as data, never executable code. This eliminates injection regardless of what the user types.
3 / 5
Why is blacklisting dangerous characters an unreliable defense?
Blacklisting: trying to strip or escape bad characters is brittle - encodings, comments, and edge cases evade it, and it can corrupt valid data. Parameterization addresses the root cause instead.
4 / 5
How does the principle of least privilege limit injection damage?
Least privilege: if the application connects with an account that cannot drop tables or read other schemas, a successful injection causes far less harm. It is defense in depth, not a replacement for parameterization.
5 / 5
When using an ORM, how can SQL injection still occur?
ORM caveat: ORMs parameterize their generated queries, but using raw SQL escape hatches with interpolated user input reintroduces the vulnerability. Always parameterize even in raw queries.