Web Security: Common Vulnerabilities And Their Mitigation - SQLi mitigation - parameterized queries and stored procedure

Using parameterized statements

Sanitizing user input

Using stored procedures

Giving all accounts maximum privileges

They are more complex to write

They allow user input to be directly concatenated

They require more privileges for execution

They separate code from data, preventing SQL injection

A database table

A user input value

A SQL command

A query result

It ignores the input completely

It concatenates the input with the query

It allows the input to be executed as a command

It treats the input as a literal string

The query is ignored

The database crashes

The input is treated as a literal string, preventing injection

The query executes with the injected SQL

They always improve query performance

They are not supported by any database

They can sometimes harm query performance

They require more complex syntax

They allow dynamic query construction

They execute SQL statements in an all-or-nothing manner

They require user input to be concatenated

They increase the privileges of the database user