You are designing and developing a complex database application built using many dynamic SQL statements. Which option could expose your code to SQL injection attacks?
Using bind variables instead of directly concatenating parameters into dynamic SQL statements
Using automated tools to generate code
Not validating parameters which are concatenated into dynamic SQL statements
Validating parameters before concatenating them into dynamic SQL statements