Flash cards
Review the key moves
What is the main idea behind SQL Parameters?
Lesson checks
Practice each idea before moving on
Short Mimo-style checks built from this lesson's code, terms, and sequence.
Which statement best captures the main point of this lesson?
Complete the missing token from the example code.
___ = getRequestString("UserId");Put the learning moves in the order that makes the concept easiest to apply.
SQL Parameters - Prevent SQL Injection
SQL parameters (Parameterized Queries) can be used to protect a web site from SQL injections.
A parameterized query is a SQL statement that uses placeholders instead of directly adding the input values into the query text. The placeholders get replaced with the actual values when the query executes. This makes the queries more safe and more reusable.
Most databases support parameterized queries, but the syntax varies:
- MySQL use ? for parameters
- SQL Server uses @ for parameters
- PostgreSQL uses $ for parameters
SQL parameters are added to an SQL query at execution time, in a controlled manner.
ASP.NET Razor Example
userid = getRequestString("UserId");
query = "SELECT *
FROM Users WHERE UserId = @userid";
db.Execute(query, userid);Note that parameters in SQL Server are presented by a @ marker.
The SQL engine checks each parameter to ensure that it is correct for its column and are treated literally, and not as part of the SQL to be executed.
Another Example
cname = getRequestString("CustomerName");
caddress = getRequestString("Address");
ccity = getRequestString("City");
query = "INSERT INTO Customers (CustomerName, Address, City) Values(@cname, @caddress, @ccity)";
db.Execute(query,
cname, caddress, ccity);