Which combination of practices addresses injection flaws in software development?

• A. Dynamic SQL without parameters.
• B. Validating input and using parameterized queries.
• C. Relying on network firewall.
• D. Client-side validation only.

Answer: (B)

Injection flaws arise when untrusted input is used to build commands, so attacker data can alter the code that runs. The strongest defense is to treat user input strictly as data and never as part of executable code. Validating input helps ensure it matches expected formats, lengths, and types, reducing harmful or malformed data. Using parameterized queries (prepared statements) binds user input as separate parameters, so the database treats it as data rather than part of the SQL command. This prevents injected content from changing the command’s intent. Relying on a network firewall or doing client-side validation alone won’t protect against server-side injection, and dynamic SQL without parameters directly enables injection. Together, input validation and parameterized queries provide robust protection against injection flaws.