1

a, b, and c

Dynamic SQL is more prone to injective attacks. Static SQL must be preferred in major cases. In other cases, dynamic SQL must use bind variables.

2

a

If the SQL query identifiers are fixed for all the executions of a subprogram, static SQL can be used in the program.

3

a and d

SQL injection can lead to the leakage of confidential information and perform unauthorized activities.

4

a

The inputs from the application layer must be verified for purity before using in the application.

5

b

Statistical code analysis is used only for logical flow of the code but doesn't provide confirmation on the code vulnerability.

6

a

Fuzzing is a rough testing method to measure the resistivity and scalability of the program, which can discover the vulnerable areas of the code.

7

c and d

The DBMS_ASSERT.SQL_OBJECT_NAME subprogram validates the object contained in the current schema. The SIMPLE_SQL_NAME and QUALIFIED_SQL_NAME functions are used to verify the sanity of the SQL names.

8

b

The quoted identifier is used in queries enclosed within double quotes. Its meaning in the context is entirely different from the unquoted identifier.

9

b

ENQUOTE_LITERAL encloses a given string with single quotes.

10

a, c, and d

The Oracle keywords which implement dynamic SQL in the code are the most vulnerable areas in a PL/SQL code.

11

a and c

AUTHID CURRENT_USER eliminates the chances of SQL injection by executing a PL/SQL program with the rights of its invokers and not of the creator.