Which OWASP Top 10 vulnerability is mitigated by parameterized queries?

Parameterizing queries directly addresses untrusted input being treated as code. When you use prepared statements with placeholders, the database first compiles the query structure and then binds the user-supplied values as data. This separation ensures that input cannot be interpreted as part of the SQL command, so tricky inputs like ' OR '1'='1 are treated just as a string value rather than altering the query logic. That’s the essence of preventing injection flaws, including SQL injection, NoSQL injection, and similar command-injection risks. Other options describe different security issues: broken authentication is about how credentials and sessions are managed, sensitive data exposure concerns protecting data at rest or in transit, and XML External Entities deals with parsing flaws in XML. The practice of parameterized queries most directly mitigates Injection.