Chapter 31 Β· Quiz

SQL Injection Quiz

Multiple choice, matching, analysis, and evaluation questions.

Part A β€” Multiple Choice

Q1
What is SQL injection, and what root cause makes it possible?
βœ… Correct: B. SQL injection inserts attacker-controlled SQL into a query the application was already going to send. The root cause is bad programming β€” failing to validate or parameterize input so user data cannot become executable SQL code. No network intrusion, malware, or special software is required.
Q2
An attacker enters the string ' OR '1'='1 into a product search field. What is the likely outcome, and what does this signature indicate?
βœ… Correct: C. The OR '1'='1' tautology makes the WHERE condition always true, returning every row in the table. This is the classic OR 1=1 SQL injection signature β€” one of the most recognizable indicators of a SQL injection attempt in web application logs or traffic analysis.
Q3
Which programming technique is the MOST effective defense against SQL injection?
βœ… Correct: C. Parameterized queries fix the root cause β€” they ensure user input is always treated as data, never as SQL code. Encryption protects stored data but not query logic. Authentication limits who can attempt injection but not whether injection succeeds. A WAF can be evaded through encoding; parameterized queries cannot.
Q4
An attacker successfully injects SQL into a web application and attempts '; DROP TABLE orders--. The injection runs but the table is not deleted. What most likely prevented the deletion?
βœ… Correct: D. Even when SQL injection succeeds in executing attacker-controlled SQL, the database permission system still applies. A web application database account should have only the permissions it needs β€” typically SELECT and perhaps INSERT/UPDATE on specific tables. DROP TABLE is a DDL privilege that web application accounts should never hold. Least privilege limits injection impact even when parameterized queries are absent.
Q5
A security analyst sees repeated requests to a login endpoint with usernames containing ' OR '1'='1'--. What type of attack is underway, and what is the attacker attempting to achieve?
βœ… Correct: B. This is a SQL injection authentication bypass. The ' OR '1'='1'-- payload alters the authentication query to always return true and comments out the password check. If successful, the attacker gains access as the first user in the table β€” typically an administrator β€” without knowing any credentials.

Part B β€” Matching

Match each SQL injection concept to its description.

CONCEPT

Parameterized Query
OR 1=1 Payload
UNION-Based Injection
Least Privilege (DB)

DESCRIPTION

Limits the impact of successful injection by ensuring the app's database account can only perform operations it actually needs
Separates SQL structure from user data so input is always treated as data, never as executable code
An always-true condition injected into a WHERE clause to return all rows instead of the intended filtered subset
Appends a second SELECT to extract data from tables completely unrelated to the original query

Part C β€” Analysis

Q6 β€” Analyze
A developer argues: "We have a web application firewall that blocks common SQL injection patterns β€” we don't need to rewrite our queries with parameterized statements." A security architect disagrees. Who is correct?
βœ… Correct: B. WAFs detect known patterns but can be evaded through encoding (URL encoding, hex encoding, case variation, comments) that makes injection payloads unrecognizable to signature-based rules. Parameterized queries are structural β€” they make it architecturally impossible for user input to become SQL code, regardless of what the user types. Fix the code first; add the WAF as a supplementary layer.

Part D β€” Evaluation

Q7 β€” Evaluate
A project manager argues: "SQL injection only affects the database β€” the rest of our systems are safe even if the database is compromised." Evaluate this claim.
βœ… Correct: C. The database is not an isolated island β€” it contains credentials that authenticate to other systems, user PII that triggers breach notification requirements, session tokens that can be replayed, financial records with regulatory implications, and internal account data. A database compromise via SQL injection typically leads to: credential stuffing attacks on other systems, mandatory breach disclosures, regulatory fines (GDPR, PCI-DSS), lateral movement using extracted service accounts, and reputation damage. The database is the most data-dense single target in most organizations.
0/7
Questions Answered Correctly