Interview › Security & DevSecOps
What is an injection attack, and how do you prevent SQL injection? [Advanced]
Answer
An injection attack occurs when untrusted input is interpreted as code or commands by an interpreter such as SQL, shell, LDAP, or NoSQL. SQL injection is prevented with parameterized queries, prepared statements, input validation, least-privilege database users, and avoiding dynamic SQL string concatenation.
Technical explanation
Escaping alone is error-prone and should not be the primary control when parameterization is available.
ORMs help but can still be unsafe if raw query strings are built from user input.
Least-privilege database roles limit damage if injection occurs.
Hands-on example
Unsafe: SELECT * FROM users WHERE name = '<user input>'
Safe Java pattern:
PreparedStatement ps = conn.prepareStatement("SELECT * FROM users WHERE name = ?");
ps.setString(1, userInput);
ResultSet rs = ps.executeQuery();
Check how well your resume matches the role with our free resume checker— match score, ATS check, and the skills you're missing.
More Security & DevSecOps interview questions
- What is DevSecOps, and how does it differ from traditional security gating at the end? [Basic]
- What does shift-left security mean, and why does it matter? [Basic]
- What is the difference between SAST, DAST, IAST, and SCA? [Basic]
- When in the pipeline does each of SAST, DAST, and SCA run? [Basic]
- What is the difference between SAST and DAST, and what does each catch and miss? [Basic]
- What is software composition analysis (SCA), and why does it matter for dependencies? [Basic]
- What is SonarQube, and what does it analyse? [Basic]
- Is SonarQube primarily SAST, code quality, or both? [Basic]