A web developer implements a form where users select their country from a drop-down menu. The developer believes this is secure from SQL injection because the user cannot type into the field. Why is this security measure insufficient on its own?
SQL injection attacks can only be performed on text input fields, not selection menus.
JavaScript-based validation on the form would prevent this attack.
Drop-down menus are only secure when used with numeric values.
An attacker can intercept and modify the HTTP request before it reaches the server.
This security measure is insufficient because client-side restrictions, such as using a drop-down menu, can be bypassed. An attacker can use a tool like a web proxy to intercept the HTTP request after it is sent from the browser and modify the value for the 'country' parameter to a malicious SQL string before it reaches the server. Therefore, all input must be validated and sanitized on the server-side, and parameterized queries should be used to prevent SQL injection.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is SQL injection and how does it work?
Open an interactive chat with Bash
What are some methods to protect against SQL injection attacks?
Open an interactive chat with Bash
What are HTTP requests, and how can they be intercepted in attacks?