To prevent SQL injection, which approach is recommended?

• A. Hard-code queries with string concatenation.
• B. Validate input only on the client side.
• C. Disable database access entirely.
• D. Use parameterized/prepared statements and proper input validation.

Answer: (D)

Preventing SQL injection relies on treating user input strictly as data and keeping it separate from the SQL command itself. Using parameterized or prepared statements defines the query with placeholders and then binds the user-supplied values as data, so the database engine cannot treat input as executable code. This is what stops an attacker from changing the intent of the query, even if they provide malicious input. Input validation on the server adds an extra layer by enforcing allowed formats and ranges, but it isn’t enough on its own because validation rules can miss edge cases or be bypassed; the binding of parameters is the key defense against injection. The other options fall short: building queries by concatenating strings directly creates injection points; relying only on client-side validation can be bypassed since the client isn’t trusted; and disabling database access is impractical for real applications.