GIAC Foundational Cybersecurity Technologies Practice Test

How do prepared statements help prevent SQL injection attacks?

• A. Query parameters are sent in the body of a POST request
• B. Queries are appended with an authorization token
• C. Query language is kept separate from user supplied data
• D. Queries submitted by users are HTML entity encoded

The correct answer is: Query language is kept separate from user supplied data

Prepared statements help prevent SQL injection attacks by keeping the query language separate from user-supplied data. When a prepared statement is used, the structure of the SQL query is defined first, and placeholders are used for any variables. This means that when user input is provided, it is treated purely as data, without altering the structure of the SQL command itself. By doing so, the risk of an attacker injecting malicious SQL code through user input is significantly minimized. The database interprets the command and the data separately, ensuring that any harmful SQL injection attempts are not executed in the context of the original SQL command. This separation effectively mitigates potential security vulnerabilities associated with dynamic SQL queries that directly incorporate user input without any validation or parameterization. The other options, while potentially relevant to data handling and security, do not address the core mechanism of how prepared statements work in relation to SQL injection specifically. For example, sending query parameters in the body of a POST request or appending authorization tokens do not inherently abstract user input from the query language itself. Likewise, HTML entity encoding is a technique used primarily in web applications to prevent cross-site scripting (XSS) and does not protect against SQL injection attacks.