Question 139

Skills Measured 5.5.3 Sample Question

Multiple Choices

A SQL injection attack occurs when an application allows input submitted by the client to be run as part of a SQL command. What actions should a developer take to ensure that this doesn’t happen? (Choose all that apply.)

  • A. Use Entity SQL because it does not suffer from the same risk.
  • B. Use SQLParameters to submit the parameters.
  • C. Use Linq-to-Entities to access the database,
  • D. Filter out keywords and symbols.


A. Incorrect: Entity SQL is vulnerable to SQL injection attacks, so you would have to take the same steps to protect an application using it for the data layer.
B. Correct: Using SQLParameters is the best way to manage this risk.
C. Correct: Linq-to-Entities uses an object model as access into the data layer, so the risk is mitigated.
D. Incorrect: This approach is dangerous because you might end up filtering out parts of the content. It is also a blocked-list approach; an accepted list is more secure.