Quiz Entry - updated: 2026.07.14
What is the primary defense against injection attacks, and what backs it up as defense-in-depth?
Prepared statements (parametrized APIs) are the primary defense; input validation, output encoding, least privilege, and safe configuration are layered behind it.
No single control is enough, so they stack from most to least effective:
| Priority | Strategy | How it helps |
|---|---|---|
| 1 | Parametrized API (prepared statements) | Separates code from data — most effective |
| 2 | Input validation / sanitization | Rejects malformed input before it reaches interpreter |
| 3 | Output encoding | Encodes special characters for the output context |
| 4 | Least privilege | Limits damage — DB user can only SELECT, not DROP |
| 5 | Configuration | Disable dangerous features (e.g., xp_cmdshell, LOAD_FILE) |
Why prepared statements work: The SQL engine compiles the query structure FIRST, then binds user data as parameters. The data can never be interpreted as SQL code, regardless of what the attacker sends.
See: OWASP SQL Injection Prevention Cheat Sheet
Go deeper:
OWASP Injection Prevention Cheat Sheet — layered defense: parametrization first, then validation/encoding/least-privilege.