What is parameterized query?

totalnoobs picture totalnoobs · Jan 17, 2011 · Viewed 90.9k times · Source

What is a parameterized query, and what would an example of such a query be in PHP and MySQL?

Answer

John Parker picture John Parker · Jan 17, 2011

A parameterized query (also known as a prepared statement) is a means of pre-compiling a SQL statement so that all you need to supply are the "parameters" (think "variables") that need to be inserted into the statement for it to be executed. It's commonly used as a means of preventing SQL injection attacks.

You can read more about these on PHP's PDO page (PDO being a database abstraction layer), although you can also make use of them if you're using the mysqli database interface (see the prepare documentation).