Oracle Database: Program with PL/SQL — Question 18

You are designing and developing a complex database application built using many dynamic SQL statements. Which option could expose your code to SQL injection attacks?

Answer options

• A. Using bind variables instead of directly concatenating parameters into dynamic SQL statements
• B. Using automated tools to generate code
• C. Not validating parameters which are concatenated into dynamic SQL statements
• D. Validating parameters before concatenating them into dynamic SQL statements
• E. Having excess database privileges

Correct answer: C

Explanation

The correct answer is C because failing to validate parameters that are concatenated into dynamic SQL statements can allow malicious input to be executed as SQL code. Options A, D, and B provide methods to mitigate SQL injection risks, while E relates to permissions rather than direct SQL injection vulnerabilities.