Which of the following is the most effective technical control to prevent SQL injection attacks? (Wentz QOTD)
A. Front end input validation
B. Security awareness and training
C. Parameterized SQL queries
D. Constrained user interface

Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.

My suggested answer is C. Parameterized SQL queries.

Wentz’s book, The Effective CISSP: Security and Risk Management, helps CISSP and CISM aspirants build a solid conceptual security model. It is a tutorial for information security and a supplement to the official study guides for the CISSP and CISM exams and an informative reference for security professionals.

Front-end input validation and constrained user interface are countermeasures against SQL injection in the presentation layer, which typically happens at the client-side. However, attackers may not initiate SQL injection from the presentation layer, but submit inputs with injection code to the server-side directly and bypass the user interface.

Input validation shall be applied both at the client and server sides. Parameterized SQL queries can be implemented in the business logic layer or data access layer; both layers are located on the server-side.

Security awareness and training is not a technical control.

Reference

---

以下哪項是防止 SQL 注入攻擊最有效的技術控制？ (Wentz QOTD)
A. 前端輸入驗證
B. 安全意識和培訓
C. 參數化 SQL 查詢
D. 受限的用戶界面