During a penetration test, you encounter a vulnerability to SQL injection. Which technical control factor would be MOST effective in mitigating this vulnerability?

Preventing SQL injection comes down to ensuring untrusted input can’t alter the SQL execution. The most effective control is to sanitize inputs and, even more importantly, use parameterized (prepared) queries. When you parameterize queries, user-supplied data is sent to the database separately from the code, so it’s treated strictly as data rather than executable SQL. This blocks the attacker from injecting additional commands regardless of the input content. Relying on client-side validation is risky because it can be bypassed; TLS only protects data in transit and doesn’t affect how SQL is interpreted; disabling database features reduces surface area but doesn’t address the root flaw. Proper input handling with parameterized queries provides robust, consistent protection against SQL injection across the application.