During penetration testing of a financial web application, you discover that the application constructs SQL queries by concatenating user-supplied input, leading to successful UNION-based injection in the account search feature. Developers propose several fixes. Which single change would most reliably eliminate this vulnerability while requiring minimal changes to existing business logic?
Add client-side JavaScript that strips special characters before the form is submitted
Replace all dynamic SQL construction with prepared statements that bind user input as parameters
Migrate the application from MySQL to a NoSQL database engine
Append a static ORDER BY clause to the query to hide injected UNION results
Concatenating untrusted input directly into an SQL string allows attackers to break query structure and inject their own commands. Replacing every ad-hoc string with a parameterized prepared statement forces the database driver to treat user input strictly as data, not executable code, eliminating the injection vector regardless of the specific payload. Adding an ORDER BY clause does nothing to stop manipulation of the query structure. Switching to a different database back-end does not inherently solve the problem because the vulnerability lies in the application code, not the DBMS. Client-side JavaScript filtering can be bypassed easily with modified requests or disabled scripts, so it cannot be relied on as a primary defense. Therefore, adopting prepared statements with bound parameters is the most effective and practical countermeasure.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What are SQL injection attacks and why are they dangerous?