Exam CISSP topic 1 question 228 discussion

I hate this question. Parameterised isn't even in the ISC2 book...ughhh

A. Parameterised

OSG E9

Parameterised queries are a type of query in which placeholders are used for user input values. These placeholders are later replaced with user input values that are properly escaped, preventing SQL injection attacks. Parameterised queries are a recommended best practice for preventing SQL injection in software development

A. Parameterized queries are the type of queries that developers should use to prevent a Structured Query Language (SQL) injection. Parameterized queries are pre-written SQL statements that include placeholders for user input. When a user provides input, the placeholders are replaced with the user's input, and the resulting query is executed. This helps to prevent SQL injection attacks because the user's input is treated as a separate value, rather than being interpreted as part of the SQL statement.

A, separate the SQL query from the user input values

A parameterized query (also known as a prepared statement) is a means of pre-compiling a SQL statement so that all you need to supply are the "parameters" (think "variables") that need to be inserted into the statement for it to be executed. It's commonly used as a means of preventing SQL injection attacks. https://stackoverflow.com/questions/4712037/what-is-parameterized-query

Parameterized SQL queries allow you to place parameters in an SQL query instead of a constant value. A parameter takes a value only when the query is executed, which allows the query to be reused with different values and for different purposes.