QUESTION 5

Consider the following query an application performs when a user changes her password:

UPDATE users SET password=newsecret WHERE user=marcus and password = secret

If the attacker enters username as admin--, new password as foo, and existing password as blank,

what will happen?

	a.	(a) The application will return error message because existing password is not entered
	b.	The attacker can bypass password check
	c.	(a) The attacker will set only the admin users password to foo
	d.	The attacker will set every users password to foo

QUESTION 6

Consider the following query an application performs when a user changes her password:

UPDATE users SET password=newsecret WHERE user=marcus and password = secret

If the attacker enters username as admin or 1=1--, new password as foo, and existing password as blank, what will happen?

	a.	The application will return error message because existing password is not entered
	b.	The attacker can bypass password check
	c.	The attacker will set only the admin users password to foo
	d.	The attacker will set every users password to foo

QUESTION 7

Which of the following is(are) true?

		Escaping single quotation marks is always effective in preventing SQL injection
		Stored procedure is always effective in preventing SQL injection
		Poorly written stored procedure can contain SQL injection vulnerabilities within its own code
		Parameterized query should be used for every database query to prevent SQL injection