ISC2 CISSP Practice Question

The correct answer is implementing parameterized queries. The scenario describes a SQL injection attack, where an attacker was able to insert malicious SQL commands through a web application input field. Parameterized queries (also known as prepared statements) prevent SQL injection by separating SQL code from user-supplied data, treating the input as data rather than executable code. This approach forces developers to define all SQL code first and then pass in each parameter to the query later. Even if an attacker tries to inject malicious SQL commands, those commands will be treated as simple strings rather than executable code.

Encrypting database fields would protect data at rest but would not prevent SQL injection attacks since the application would still decrypt data for legitimate queries and the injection would still work. Implementing a Web Application Firewall (WAF) might help detect some SQL injection attempts but is not as effective as fixing the core problem in the code itself. Role-Based Access Control (RBAC) is important for limiting user privileges but doesn't address the fundamental SQL injection vulnerability in the application code.