You are developing an ASP.NET MVC application that uses forms authentication. The application
uses SQL queries that display customer order data.
You need to prevent all SQL injection attacks against the application.
How should you secure the queries?
A.
Implement parameterization.
B.
Pattern check the input.
C.
Filter out prohibited words in the input.
D.
Escape single quotes on stringābased input parameters.
Explanation:
With most development platforms, parameterized statements that work with parameters can be
used (sometimes called placeholders or bind variables) instead of embedding user input in the
statement. A placeholder can only store a value of the given type and not an arbitrary SQL fragment.
Hence the SQL injection would simply be treated as a strange (and probably invalid) parameter
value.
https://en.wikipedia.org/wiki/SQL_injection#Parameterized_statements
a
Same as Q.91 http://www.aiotestking.com/microsoft/how-should-you-secure-the-queries/