Which practice is the primary defense to prevent injection-type vulnerabilities via user input?

• A. Keep OS up to date.
• B. Define access rights.
• C. Set secure flag on cookies.
• D. Strongly validate user input.

Answer: (D)

User input comes from an untrusted source, and injection flaws occur when that data is used to construct commands or queries without proper checks. The strongest defense is to strongly validate input before it’s used, by whitelisting what’s allowed, enforcing type and length constraints, and encoding or escaping data for its specific context. This limits the presence of characters or payloads that could alter syntax or execution. While using parameterized queries and other secure practices are important, validating input is the foremost shield against injection via user input. The other options address different security concerns and don’t directly prevent injection when data is fed into code, queries, or operating-system contexts.