🛡️ Free practice test question from: SQL Injection Prevention (Security+)

A) Using mysql.escape() would help mitigate some risks by escaping special characters, but it's not the most comprehensive solution. Escape functions can sometimes be bypassed in complex scenarios.

B) Parameterized queries (prepared statements) are the gold standard for preventing SQL injection. They separate the SQL query structure from the data, effectively neutralizing SQL injection risks. Additionally, implementing allow-list validation for userId provides an extra layer of security by ensuring only integer values are accepted.

C) Input validation based on blacklisting SQL keywords or special characters is notoriously unreliable. Attackers can often find creative ways to bypass such filters, making this approach weak and error-prone.

D) While using an ORM can provide some protection against SQL injection, it's not inherently more secure than using parameterized queries. ORMs can still be vulnerable if not used correctly.