Which two are major approaches that can be used to reduce the SQL injection by limiting user input?

Which two are major approaches that can be used to reduce the SQL injection by limiting user input?
(Choose two.)

Which two are major approaches that can be used to reduce the SQL injection by limiting user input?
(Choose two.)

A.
Restrict users accessing specified web page.

B.
Use NUMBER data type if only positive integers are needed.

C.
Use dynamic SQL and construct it through concatenation of input values.

D.
In PL/SQL API, expose only those routines that are intended for customer use.

← Previous question

Next question →

Leave a Reply 2

Tr

A, D
http://docs.oracle.com/cd/B19306_01/appdev.102/b14251/adfns_dynamic_sql.htm#BJECFHAB

Reply

Leo Yu

answer A) D)
C) definetely is the opposition of preventing sql injection: input concatenation opens the door for the user to input maclicoius code to reveal unauthorized data like ” XXXX union select salary from employee” or “CREATE OR REPLACE FUNCTION invalid_grant { “GRANT DBA TO SCOTT” }”, then input like ” XXXX=invalid_grant”
B) might have no real security issue, just follow common rule: only use appropriate data type

Reply