Developing ASP.NET MVC Web Applications — Question 93

You are developing an ASP.NET MVC application that uses forms authentication. The application uses SQL queries that display customer order data.
Logs show there have been several malicious attacks against the servers.
You need to prevent all SQL injection attacks from malicious users against the application.
How should you secure the queries?

Answer options

• A. Check the input against patterns seen in the logs and other records.
• B. Escape single quotes and apostrophes on all string-based input parameters.
• C. Implement parameterization of all input strings.
• D. Filter out prohibited words in the input submitted by the users.

Correct answer: C

Explanation

The correct answer is C because implementing parameterization ensures that SQL queries are executed safely by treating input as data rather than executable code, thus preventing SQL injection. Options A, B, and D are less effective as they do not provide a comprehensive solution to SQL injection vulnerabilities, which can exploit various input formats and patterns.