Security+ Input Validation, Practice Exam Question

---

Hello, on the SY0-501 practice exam page there's a question which asks me "Which secure coding technique ensures that improper data is not allowed into the program?" and the two choices that were presented to me that seemed to make any sense out of the four were error handling and stored procedures. So naturally I went ahead and chose stored procedures.

Got it wrong. This is the explanation it gave:

"Using properly written stored procedures protects the database from damage caused by SQL injection attacks, not invalid input."

Are SQL injection attacks not a form of invalid input? No one normally should expect SQL instructions to be passed into an input field. Is there something I'm missing here? Is the question focusing on only one type of invalid input?

@Ryan-Kastner ,

Tricky question, but SQL injection attacks would not be invalid input. The problem with SQL injections is just the opposite, it is valid input and being processed. It's easy to think it's invalid because we don't want it.

Invalid input would throw an error and potentially cause the program to malfunction. For example, if we were attempting to store numeric data in a text field, or tried to divide by zero. We would use error handling methods, like try...catch statements or input validation to protect.