Question

What is the benefit of using “prepared statements” in the prevention of SQL injection?

Select one:

a.

User input is treated as secret data like passwords.

b. User input is properly treated as commands, rather than as secret data like passwords

c. With them it is easier to construct a SQL query

d. They ensure user input is parsed as data, not (potentially) code

Answer 1

Answer:

D. They ensure user input is parsed as data, not (potentially) code, It is the answer to prevent any sort of injections like SQL. It prevents any sort of injections. User inputs must be treated as data and not as commands. In every case. Otherwise, the commands will execute depending on the context of the flow, like if it is being reflected on the screen, you may be able to execute JS/HTML and thus reflected XSS; if it is hitting a DB, a number of types of SQLi or command injections, etc.

Why other options are wrong?

Options A, B, C doesn't prevent it.

A: Makes no sense. Even passwords are not secret input data, they pretty much work like all inputs except that they hit DB - which is the case in every SQL exploit.

B.) Makes no sense again. The handling of user input in this or that way is not the question, but, whether or not we can inject SQL commands, The simple commands may also allow attaching SQL quires.

C.) Again, has nothing to do with 'SQL preventions.

Upvote the answer (as much needed and valuable for me) if it helps else let me know your doubts. Thank you!!!!!!!!