Parameterized Queries
← Back to Injection
Queries where user input is passed as parameters separate from the SQL command, not concatenated into the query string. The database engine treats parameters as data, not code, making SQL injection impossible. Also known as prepared statements.