How can you prevent SQL injection in a database application?

• A. Use parameterized/prepared statements and proper input validation.
• B. Use dynamic string concatenation to build queries.
• C. Disable all user input.
• D. Only rely on client-side validation.

Answer: (A)

Defending against SQL injection means keeping data separate from the SQL code that runs in the database. The most reliable way is to use parameterized (or prepared) statements. With these, the SQL query is written with placeholders for data, and the actual values are supplied separately. The database driver treats those values strictly as data, not as part of the SQL command, so even if a user enters something that looks like SQL, it won’t be executed as code. This is the core defense against attackers altering the query’s structure.

Input validation adds another layer by checking that inputs meet expected formats, lengths, and character sets before they’re sent to the database. It helps block obvious bad data and can reduce risk, but it isn’t enough on its own. If you rely only on validation on the client side or try to build queries by concatenating strings with user input, you leave your application vulnerable—validators can be bypassed, and the injected input becomes part of the SQL string.

So the best approach is to combine parameterized statements with proper input validation. The other options aren’t viable: constructing queries via dynamic string concatenation creates the exact vulnerability, disabling all user input isn’t practical, and relying solely on client-side validation can be bypassed.