How should you define the command statement in the function?

You have a database in an Azure Cosmos DB Core (SQL) API account.

You need to create an Azure function that will access the database to retrieve records based on a variable named accountnumber. The solution must protect against SQL injection attacks.

How should you define the command statement in the function?
A . cmd = "SELECT * FROM Persons p
WHERE p.accountnumber = ‘accountnumber’"
B. cmd = "SELECT * FROM Persons p
WHERE p.accountnumber = LIKE @accountnumber"
C. cmd = "SELECT * FROM Persons p
WHERE p.accountnumber = @accountnumber"
D. cmd = "SELECT * FROM Persons p
WHERE p.accountnumber = ‘" + accountnumber + "’"

View Answer

Answer: C

Explanation:

Azure Cosmos DB supports queries with parameters expressed by the familiar @ notation. Parameterized SQL provides robust handling and escaping of user input, and prevents accidental exposure of data through SQL injection.

For example, you can write a query that takes lastName and address.state as parameters, and execute it for various values of lastName and address.state based on user input. SELECT *

FROM Families f

WHERE f.lastName = @lastName AND f.address.state = @addressState

Reference: https://docs.microsoft.com/en-us/azure/cosmos-db/sql/sql-query-parameterized-queries