Exam 350-901 topic 1 question 306 discussion

B is a parameterization method, better for SQL Injection; C is a ecaping method, better for XSS according to the DevCore study guide Moreover C has a syntax error Moreover ChatGPT sais B: This code is using Python to execute a SQL query against a database using parameterized queries to prevent SQL injection attacks. Specifically, it is selecting the orders column from the purchases table where the username column matches the username variable. The username variable is passed in as a parameter in a dictionary format using the % operator to substitute the value into the query string. This approach is recommended for preventing SQL injection attacks because it ensures that user input is treated as data rather than as part of the SQL statement itself.

the use of placeholder and key value will prevent inject SQL injection.

Regarding to the MySQL Document, it presented following demo code: select_stmt = "SELECT * FROM employees WHERE emp_no = %(emp_no)s" cursor.execute(select_stmt, { 'emp_no': 2 }) Therefore, I choose the answer B as the correct one.

This is getting discussed a lot so I took the Time to write some code and test this. Here is my code: https://gist.github.com/Ghiritaia/0e07dc4ed05763738298453927c05450. Answers A and D are the same and therefore correct. I'll go with D because is the cleaner code.

I think the answer could be C, as the other answers do not do any escaping, only C does. The following syntax is correct >>> print(" what is '%s' " % ("hello".replace("","")))

Both A and D are the same answer. They both work. Depends on Python2 or python3

Yes, answer is A.

the given answer is correct. it can't be A. A is same as D. https://www.w3schools.com/sql/sql_injection.asp

Answer is A