Bird
0
0

Which SQL query is vulnerable to injection if user input is not sanitized?

easy📝 Syntax Q3 of 15
SQL - Security Basics
Which SQL query is vulnerable to injection if user input is not sanitized?
SELECT * FROM users WHERE username = '" + userInput + "';
ASELECT * FROM users WHERE username = '" + userInput + "';
BSELECT * FROM users WHERE username = 'admin';
CSELECT * FROM users WHERE username = ?;
DSELECT * FROM users WHERE username = $1;
Step-by-Step Solution
Solution:

  1. Step 1: Analyze query construction

    The query concatenates user input directly into the SQL string, which is unsafe.

  2. Step 2: Compare with safe parameterized queries

    Options C and D use placeholders, which prevent injection.

  3. Final Answer:

    SELECT * FROM users WHERE username = '" + userInput + "'; -> Option A

  4. Quick Check:

    Unsafe query = String concatenation with user input [OK]
Quick Trick: Avoid string concatenation for SQL queries [OK]
Common Mistakes:
  • Thinking parameter placeholders cause injection
  • Assuming static queries are vulnerable
  • Confusing syntax with injection risk

Want More Practice?

15+ quiz questions · All difficulty levels · Free

Free Signup - Practice All Questions
More SQL Quizzes
Advanced Query Patterns - Conditional aggregation pattern - Quiz 10hard Advanced Query Patterns - Date range overlap detection - Quiz 13medium Advanced Query Patterns - Finding duplicates efficiently - Quiz 2easy Common Table Expressions (CTEs) - Recursive CTE concept - Quiz 2easy Database Design and Normalization - Star schema concept - Quiz 2easy Database Design and Normalization - Why normalization matters - Quiz 6medium Transactions and Data Integrity - Deadlock concept and prevention - Quiz 4medium Transactions and Data Integrity - BEGIN TRANSACTION syntax - Quiz 8hard Triggers - Trigger performance considerations - Quiz 4medium Window Functions Fundamentals - Why window functions are needed - Quiz 5medium