Tech moves fast! Stay ahead of the curve with Techopedia!
Join nearly 200,000 subscribers who receive actionable tech insights from Techopedia.
A parameterized query is a type of SQL query that requires at least one parameter for execution. A placeholder is normally substituted for the parameter in the SQL query. The parameter is then passed to the query in a separate statement.
One major reason for using parameterized queries is that they make queries more readable. The second and most compelling reason is that parameterized queries help to protect the database from SQL injection attacks.
The following is an example of an ADO.NET parameterized query:
SELECT LastName FROM Contacts WHERE ContactID = @ContactID;
@ContactID is the parameter for this query, which might be defined in a subsequent statement similar to the following:
command.Parameters.Add(new SqlParameter("@ContactID", theContactID));