When developing a web application that must read from and write to a relational database, which approach is the BEST for performing those operations while following sound security practices?
Invoke command-line database tools from inside the application code to run SQL statements.
Construct dynamic SQL by concatenating user input directly into query strings.
Use a database API that employs prepared statements and parameterized queries.
Rely solely on stored procedures for every database operation from the web application.
Calling the database through an API that supports prepared or parameterized statements keeps SQL code separate from user-supplied data. Because placeholders are bound to values at run time, malicious input cannot change the intended SQL syntax, which is the most widely recommended mitigation against SQL injection attacks. Building queries by concatenating raw input leaves the application vulnerable to injection, and spawning command-line clients from within the app exposes additional shell-injection and credential-management risks. Properly written stored procedures-those that accept parameters and avoid dynamic SQL-can also reduce injection risk, but relying on them exclusively limits flexibility and does not automatically eliminate every attack vector. Therefore, parameterized queries through a database API are considered the most broadly applicable and secure default choice.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
Why are parameterized queries considered more secure?
Open an interactive chat with Bash
What is SQL injection and why is it dangerous?
Open an interactive chat with Bash
How do prepared statements differ from stored procedures?