Which of the following software security best practices would prevent an attacker from being able to run arbitrary SQL commands within a web application? (Choose two.)
Click on the arrows to vote for the correct answer
A. B. C. D. E. F.AC.
https://www.ptsecurity.com/ww-en/analytics/knowledge-base/how-to-prevent-sql-injection-attacks/The two software security best practices that would prevent an attacker from being able to run arbitrary SQL commands within a web application are parameterized queries and input validation.
Parameterized queries: Parameterized queries use placeholders for user input in SQL statements instead of directly inserting user input into the SQL query string. By using parameterized queries, the SQL injection attack is prevented because the input values are treated as parameters and not as part of the SQL statement. In this way, the user input is separated from the SQL statement, reducing the risk of an SQL injection attack.
Input validation: Input validation is the process of ensuring that user input conforms to the expected format and data types before it is processed by the application. By validating input data, it is possible to detect and prevent SQL injection attacks. Input validation techniques can include checking data types, length, format, and range. For example, if a field is expected to contain a numeric value, it should not allow any non-numeric characters. Similarly, if a field is expected to contain a specific data format, such as a date or email address, it should be validated against that format.
The other options in the answer choices are also important security best practices, but they are not directly related to preventing SQL injection attacks.
Session management: Session management is the process of managing user sessions in a web application. It involves creating and managing session IDs, setting session timeouts, and managing session data. Session management is important for protecting user data and preventing unauthorized access to a user's session.
Output encoding: Output encoding is the process of encoding output data to prevent cross-site scripting (XSS) attacks. Output encoding ensures that user input is treated as plain text, and not as HTML or JavaScript code that could be executed by a browser.
Data protection: Data protection refers to the process of securing data at rest and in transit. It includes techniques such as encryption, hashing, and access control to protect sensitive data from unauthorized access or disclosure.
Authentication: Authentication is the process of verifying a user's identity before granting access to a web application. It involves user authentication, such as username and password, or multi-factor authentication, such as a combination of password and a security token. Authentication is important for preventing unauthorized access to sensitive data or functionality in a web application.