Parameterized Query

Why Trust Techopedia

What Does Parameterized Query Mean?

A parameterized query is a type of SQL query that requires at least one parameter for execution. A placeholder is normally substituted for the parameter in the SQL query. The parameter is then passed to the query in a separate statement.

Advertisements

Techopedia Explains Parameterized Query

One major reason for using parameterized queries is that they make queries more readable. The second and most compelling reason is that parameterized queries help to protect the database from SQL injection attacks.

The following is an example of an ADO.NET parameterized query:

SELECT LastName FROM Contacts WHERE ContactID = @ContactID;

@ContactID is the parameter for this query, which might be defined in a subsequent statement similar to the following:

command.Parameters.Add(new SqlParameter(“@ContactID”, theContactID));

Advertisements

Related Terms

Margaret Rouse
Technology Expert
Margaret Rouse
Technology Expert

Margaret is an award-winning technical writer and teacher known for her ability to explain complex technical subjects to a non-technical business audience. Over the past twenty years, her IT definitions have been published by Que in an encyclopedia of technology terms and cited in articles by the New York Times, Time Magazine, USA Today, ZDNet, PC Magazine, and Discovery Magazine. She joined Techopedia in 2011. Margaret's idea of a fun day is helping IT and business professionals learn to speak each other’s highly specialized languages.