Описание тега parameterized-query
A pre-compiled and optimized SQL statement that can be executed multiple times by changing certain constant values during each execution. Often used to prevent SQL injection.
A parameterized query or prepared statement is a pre-compiled and optimized SQL statement that is in the form of a template where only certain constant values (parameters) can be changed. It can be executed multiple times by changing the parameters during each execution. A parameterized query looks like
SELECT itemName FROM Product WHERE manufactureDate BETWEEN ? AND ?
The? are the parameters that subsituted with values provided during each execution. In the above examples they are the from date and to date.
The advantages of a parameterized query are
- No compiling and optiming overhead for the subsequent executions of the statement
- SQL Injection is not possible as they are sent to and parsed by the database server separately from any parameters