A web developer implements a form where users select their country from a drop-down menu. The developer believes this is secure from SQL injection because the user cannot type into the field. Why is this security measure insufficient on its own?
Drop-down menus are only secure when used with numeric values.
JavaScript-based validation on the form would prevent this attack.
SQL injection attacks can only be performed on text input fields, not selection menus.
An attacker can intercept and modify the HTTP request before it reaches the server.
This security measure is insufficient because client-side restrictions, such as using a drop-down menu, can be bypassed. An attacker can use a tool like a web proxy to intercept the HTTP request after it is sent from the browser and modify the value for the 'country' parameter to a malicious SQL string before it reaches the server. Therefore, all input must be validated and sanitized on the server-side, and parameterized queries should be used to prevent SQL injection.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is server-side input validation and why is it important?
Open an interactive chat with Bash
What is a web proxy, and how can it be used in an attack?
Open an interactive chat with Bash
What are parameterized queries, and how do they prevent SQL injection?