SQL Security Interview Questions
2 questions with answers · SQL Interview Guide
SQL injection prevention, GRANT/REVOKE, parameterized queries, and the principle of least privilege.
How can you prevent SQL injections
The most effective defense against SQL injection is using parameterized queries or prepared statements, which separate SQL code from user-supplied data so the database never interprets input as executable SQL. You should also validate and sanitize inputs, apply least-privilege principles so database accounts only have the permissions they actually need, and avoid building queries through string concatenation. ORMs can help because they use parameterized queries under the hood, but you still need to be careful with raw query escapes in those tools.
-- Vulnerable (never do this)
query = "SELECT * FROM users WHERE email = '" + userInput + "'";
-- Safe: parameterized query (PostgreSQL example)
SELECT * FROM users WHERE email = $1; -- $1 is bound separately
-- Safe: prepared statement syntax (MySQL/general)
SELECT * FROM users WHERE email = ?;Explain the use of keyword WITH ENCRYPTION. Create a Store Procedure with Encryption.
WITH ENCRYPTION is a SQL Server option that obfuscates the text definition of a stored procedure, view, trigger, or function in the system catalog. Once encrypted, nobody can use sp_helptext or query sys.sql_modules to read the source code, which protects proprietary business logic. The downside is that you lose the ability to script it out later, so you must keep your own copy of the unencrypted source under version control.
CREATE PROCEDURE usp_GetEmployeeSalary
@EmployeeId INT
WITH ENCRYPTION
AS
BEGIN
SELECT Name, Salary
FROM Employees
WHERE EmployeeId = @EmployeeId;
END;Knowing the answers is half the battle
The other half is explaining them clearly under pressure.
Try a free mock interviewarrow_forward