You are developing an ASP.NET MVC application that uses forms authentication. The application uses SQL
queries that display customer order data.
You need to prevent all SQL injection attacks against the application.
How should you secure the queries?
A.
Implement parameterization.
B.
Pattern check the input.
C.
Filter out prohibited words in the input.
D.
Escape single quotes on string-based input parameters.
Explanation:
With most development platforms, parameterized statements that work with parameters can be used
(sometimes called placeholders or bind variables) instead of embedding user input in the statement. A
placeholder can only store a value of the given type and not an arbitrary SQL fragment. Hence the SQL
injection would simply be treated as a strange (and probably invalid) parameter value.
https://en.wikipedia.org/wiki/SQL_injection#Parameterized_statements