A cybersecurity analyst is reviewing a vulnerability scan report for a legacy web application. The report flags a critical SQL injection vulnerability on the user login page where the code dynamically constructs a query by concatenating user-provided input. Which of the following recommendations offers the most effective and secure long-term mitigation for this specific vulnerability?
Implement a web application firewall (WAF) with rules to block common SQL injection patterns.
Encrypt the user credentials stored in the database.
Refactor the database queries to use parameterized statements.
Apply strict input validation using a denylist to filter special characters like apostrophes and semicolons.
Refactoring the code to use parameterized queries (also known as prepared statements) is the most effective and secure long-term solution for SQL injection vulnerabilities. This technique ensures that user input is treated strictly as data and is never executed as part of the SQL command, directly preventing the injection. Implementing a Web Application Firewall (WAF) is a valuable compensating control but does not fix the underlying code vulnerability. Input validation using a denylist is notoriously easy to bypass and is not a reliable primary defense. Encrypting data at rest protects the information if the database is compromised but does not prevent the SQL injection attack itself.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
How do parameterized queries differ from regular SQL queries?
Open an interactive chat with Bash
What roles do input validation and parameterized queries play in security?
Open an interactive chat with Bash
Can parameterized queries prevent other types of cyberattacks besides SQL injection?