Exam 350-701 topic 1 question 13 discussion

Option C, Securing the connection between the web and the app tier, is important for overall security, but it is not directly related to preventing SQL injection attacks. Having a secure connection ensures that the data being transmitted between the web and app tier is protected, but it does not prevent attackers from injecting malicious code into the SQL command. Option D, Writing SQL code instead of using object-relational mapping libraries, can help prevent SQL injection attacks by giving you more control over the SQL commands being executed, but it is not a guarantee. It is still possible to make mistakes in the SQL code that can lead to SQL injection vulnerabilities. Prepared statements and parameterized queries (Option B) is a more robust method of preventing SQL injection attacks, regardless of whether you are using an ORM library or writing raw SQL code. In summary, B and E are the best options for preventing SQL injection attacks. While C and D may improve overall security, they do not directly address SQL injection vulnerabilities.

Changing back to A and B based on this statement that comes at the beginning of the section on mitigating these attacks: The primary approaches include validation of user-supplied data, in the form of whitelisting or blacklisting, and the construction of SQL statements such that user-supplied data cannot influence the logic of the statement. Last sentence is all about the statements and A and B are directly about that so must be those two.

IT is B and D according to the URL provided. Parameterized statements Main article: Prepared statement With most development platforms, parameterized statements that work with parameters can be used (sometimes called placeholders or bind variables) instead of embedding user input in the statement. A placeholder can only store a value of the given type and not an arbitrary SQL fragment. Hence the SQL injection would simply be treated as a strange (and probably invalid) parameter value. In many cases, the SQL statement is fixed, and each parameter is a scalar, not a table. The user input is then assigned (bound) to a parameter.[24] Enforcement at the coding level Using object-relational mapping libraries avoids the need to write SQL code. The ORM library in effect will generate parameterized SQL statements from object-oriented code.

After further reading i changed to A, B. https://en.wikipedia.org/wiki/SQL_injection

B. Prepared statements and parameterized queries are a way of separating the SQL code from the data that is being passed into the query. By doing this, the SQL injection attack is prevented because the attacker cannot inject any SQL code into the prepared statement or parameterized query. C. Securing the connection between the web and the app tier is also an important prevention technique to mitigate SQL injection attacks. This is because an attacker can intercept network traffic and view the data that is being passed between the web and the app tier. By using SSL or TLS encryption, the data that is being passed between the two tiers is encrypted, making it much harder for an attacker to view or manipulate.

This is from this link: Parameterized queries in ASP.NET, prepared statements in Java, or similar techniques in other languages should be used comprehensively in addition to strict input validation. Each of these techniques performs all required escaping of dangerous characters before the SQL statement is passed to the underlying database system.