Chapter 32 — Quiz

DataField.Dev

Chapter 32 — Quiz

14 questions. Answers at the bottom.

Multiple choice

Q1. The definitive defense against SQL injection is: - A) Validating input length - B) Parameterized queries (never concatenating input into SQL) - C) A firewall - D) Encrypting the database

Q2. The principle of least privilege means: - A) Give every account full access for convenience - B) Each account gets only the permissions it needs - C) Use one shared superuser - D) No permissions at all

Q3. The application should connect as: - A) The postgres superuser - B) A limited role with only the privileges it needs - C) Any role - D) A new role per request

Q4. Row-Level Security (RLS): - A) Encrypts rows - B) Restricts which rows a user sees, enforced in the database - C) Speeds up queries - D) Hides columns

Q5. To hide sensitive columns (e.g., salary), you can: - A) Encrypt the whole database - B) Expose a view with only safe columns (and grant the view) - C) Use a bigger server - D) Add an index

Q6. Encryption in transit (TLS) protects against: - A) Stolen disks - B) Network interception of data/credentials - C) SQL injection - D) Deadlocks

Q7. Passwords should be: - A) Stored in plaintext - B) Encrypted (reversible) - C) Hashed with a strong, salted algorithm (bcrypt/argon2) - D) Stored in the connection string

Q8. Encryption at rest protects against: - A) SQL injection - B) A stolen disk or backup being readable - C) Slow queries - D) Deadlocks

Q9. Tested backups and PITR are a security control because: - A) They speed up queries - B) They make data loss (ransomware, accidental DROP) recoverable - C) They prevent injection - D) They encrypt data

Q10. Why never run the app as superuser? - A) It's slower - B) A breach/bug could then do anything (drop tables, read everything); least privilege contains it - C) Superusers can't run queries - D) It's required by GDPR

Q11. GDPR's "right to erasure" requires you to be able to: - A) Encrypt all data - B) Delete a person's personal data on request - C) Back up data - D) Index PII

True/False

Q12. Validating input is a sufficient replacement for parameterized queries. (True / False)

Q13. Security is a single setting you turn on. (True / False)

Short answer

Q14. Explain "defense in depth" with three database security layers and what each protects against.

---

Answer key

Q1 — B. Parameterization makes injection structurally impossible.

Q2 — B. Only the permissions needed — limits blast radius.

Q3 — B. A limited role, never superuser.

Q4 — B. Database-enforced row restriction.

Q5 — B. A view exposing only safe columns (or column grants).

Q6 — B. Network interception (sniffing).

Q7 — C. Hashed (one-way), salted, slow algorithm — never plaintext/encrypted.

Q8 — B. A stolen disk/backup is useless without the key.

Q9 — B. Recoverability from loss/ransomware is a security control.

Q10 — B. Least privilege contains a breach; a superuser app makes any breach catastrophic.

Q11 — B. Delete a person's data on request.

Q12 — False. Validation is defense-in-depth; parameterization is the actual fix. Always parameterize.

Q13 — False. Security is layered defense in depth, not one switch.

Q14. Defense in depth = multiple independent layers, each assuming the others might fail. E.g.: (1) Parameterized queries prevent SQL injection (attacker can't rewrite the query). (2) Least-privilege roles contain any breach that does occur (a compromised app role can't drop tables or read other schemas). (3) TLS + encryption at rest protect data from network interception and stolen disks. If one layer fails, the others still limit the damage.

Scoring: 12–14 you defend in depth; 9–11 review least privilege and RLS; below 9, redo Exercises A–B.