ISC2 CISSP Practice Question

A software development team at a financial services company is building a new customer portal. During a code review, a security architect notices that the developers are using string formatting to construct database queries with data from user-submitted web forms. The architect is concerned about the risk of SQL injection. Which of the following recommendations would be the MOST effective and robust long-term solution to mitigate this specific vulnerability class in the application?

Parameterized queries
Input sanitization
Secure logging
Error handling

Report Issue

Answer Description

Parameterized queries (also known as prepared statements) are the correct solution because they separate SQL code from data by using placeholders for parameters. This ensures that user input is always treated as data rather than executable code, effectively preventing SQL injection attacks regardless of the input content.

Input sanitization involves filtering or cleaning user input to remove potentially malicious characters. While this can help reduce the risk of SQL injection, it is not as reliable as parameterized queries because sanitization filters can often be bypassed by sophisticated attacks and may not address all possible injection vectors.

Error handling focuses on managing application responses when errors occur. While proper error handling is important for security (preventing information leakage that could aid an attacker), it does not prevent SQL injection attacks from occurring in the first place. It might hide error details from attackers but does not fix the underlying vulnerability.

Secure logging is the practice of properly recording application events without exposing sensitive information. While logging is crucial for security monitoring and incident response, it does not prevent SQL injection attacks. Logging would only record that an attack happened but would not stop it from succeeding.

Ask Bash

Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.

Why are parameterized queries considered more secure than input sanitization?

Open an interactive chat with Bash

What is SQL injection and how does it exploit vulnerabilities?

Open an interactive chat with Bash

Can you provide an example of how a parameterized query is implemented?

Open an interactive chat with Bash

ISC2 CISSP

Software Development Security

Your Score:

Settings & Objectives

Security and Risk Management

Asset Security

Security Architecture and Engineering

Communication and Network Security

Identity and Access Management (IAM)

Security Assessment and Testing

Security Operations

Software Development Security

Random Mixed

Questions are selected randomly from all chosen topics, with a preference for those you haven’t seen before. You may see several questions from the same objective or domain in a row.

Rotate by Objective

Questions cycle through each objective or domain in turn, helping you avoid long streaks of questions from the same area. You may see some repeat questions, but the distribution will be more balanced across topics.

Hide Score

Check or uncheck an objective to set which questions you will receive.

Wipe Score

Bash, the Crucial Exams Chat Bot

AI Bot

ISC2 CISSP Practice Question

Answer Description

Ask Bash

Why are parameterized queries considered more secure than input sanitization?

What is SQL injection and how does it exploit vulnerabilities?

Can you provide an example of how a parameterized query is implemented?

Monthly

$19.99

Billed monthly,
Cancel any time.

3 Month Pass

$44.99

One time purchase of $44.99,
Does not auto-renew.

Annual Pass

$119.99

One time purchase of $119.99,
Does not auto-renew.

Lifetime Pass

$189.99

One time purchase,
Good for life.

All Exams

Unlimited Tests

Unlimited Questions

AI Tutor

Track scores

Report Cards

Voucher Discounts

Advanced PBQs

Included Exams