Parameterized Query
What is Parameterized Query?
Parameterized QueryA database query whose values are sent separately from the SQL text via placeholders, so user input can never alter the query's structure.
A parameterized query (also called a prepared statement) lets developers pre-compile a SQL template with placeholders such as '?' or ':id' and then bind values to those placeholders. Because the database engine treats the parameters strictly as data — never as part of the SQL syntax — even input containing quotes, semicolons or comment markers cannot change the query's logic. This is the canonical mitigation for SQL injection (CWE-89) and is supported by nearly every database driver and ORM. Parameterized queries should be the default for any SQL that includes untrusted input, complemented by least-privilege database accounts, allow-list input validation and ORM-safe APIs for dynamic identifiers.
● Examples
- 01
Using 'SELECT * FROM users WHERE id = ?' with a bound integer parameter instead of concatenating the user ID.
- 02
Using named parameters in PDO or psycopg with the dict of values instead of string formatting.
● Frequently asked questions
What is Parameterized Query?
A database query whose values are sent separately from the SQL text via placeholders, so user input can never alter the query's structure. It belongs to the Application Security category of cybersecurity.
What does Parameterized Query mean?
A database query whose values are sent separately from the SQL text via placeholders, so user input can never alter the query's structure.
How do you defend against Parameterized Query?
Defences for Parameterized Query typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for Parameterized Query?
Common alternative names include: Prepared statement, Bound parameter query.