The correct answer is C.
OBJ-2.4: The most common type of code injection is SQL injection. An SQL injection attempts to modify one or more of an SQL query’s four basic functions: select, insert, delete, or update. Two common methods of performing an SQL injection are either using a single apostrophe (‘) or submitting an always true statement like 1=1. In the scan results, you can see that a statement of “1 OR 17 – 7 = 10” was used. Notice that %20 is the ASCII encoded equivalent of the space character. As a penetration tester, you need to be familiar with common ASCII encoded text used in URLs equivalents like %20 (space), %5c (\), and %2F (/) to identify SQL injections and file inclusions.