Home » Microsoft » DP-420 » How should you define the command statement in the function?
You have a database in an Azure Cosmos DB Core (SQL) API account.
You need to create an Azure function that will access the database to retrieve records based on a variable named accountnumber. The solution must protect against SQL injection attacks.
How should you define the command statement in the function?
A. cmd = “SELECT * FROM Persons p
WHERE p.accountnumber = ‘accountnumber'”
B. cmd = “SELECT * FROM Persons p
WHERE p.accountnumber = LIKE @accountnumber”
C. cmd = “SELECT * FROM Persons p
WHERE p.accountnumber = @accountnumber”
D. cmd = “SELECT * FROM Persons p
WHERE p.accountnumber = ‘” + accountnumber + “‘”
ANSWER: C
Explanation:
Azure Cosmos DB supports queries with parameters expressed by the familiar @ notation. Parameterized SQL provides robust handling and escaping of user input, and prevents accidental exposure of data through SQL injection.
For example, you can write a query that takes lastName and address.state as parameters, and execute it for various values of lastName and address.state based on user input.
SELECT *
FROM Families f
WHERE f.lastName = @lastName AND f.address.state = @addressState
Reference:
https://docs.microsoft.com/en-us/azure/cosmos-db/sql/sql-query-parameterized-queries