LOGBOOK

HELP

Quiz Entry - updated: 2026.07.14

What is the primary defense against injection attacks, and what backs it up as defense-in-depth?

Prepared statements (parametrized APIs) are the primary defense; input validation, output encoding, least privilege, and safe configuration are layered behind it.

No single control is enough, so they stack from most to least effective:

Priority Strategy How it helps
1 Parametrized API (prepared statements) Separates code from data — most effective
2 Input validation / sanitization Rejects malformed input before it reaches interpreter
3 Output encoding Encodes special characters for the output context
4 Least privilege Limits damage — DB user can only SELECT, not DROP
5 Configuration Disable dangerous features (e.g., xp_cmdshell, LOAD_FILE)

Why prepared statements work: The SQL engine compiles the query structure FIRST, then binds user data as parameters. The data can never be interpreted as SQL code, regardless of what the attacker sends.

See: OWASP SQL Injection Prevention Cheat Sheet

Go deeper:

From Quiz: SPRG / Input Validation & Output Encoding | Updated: Jul 14, 2026