Final answer:
A parameterized query, sometimes called a prepared statement, uses a prebuilt SQL statement to prevent SQL-based attacks. Variables from the application are fed to the query, rather than building a custom query when the application needs data.
Step-by-step explanation:
A parameterized query, sometimes called a prepared statement, uses a prebuilt SQL statement to prevent SQL-based attacks. Variables from the application are fed to the query, rather than building a custom query when the application needs data.
This approach protects against SQL injection attacks, where attackers manipulate input fields to execute unauthorized SQL commands.
For example, let's say we have a login page where users enter their username and password. Instead of constructing the SQL query using their input directly, we can use a parameterized query. This way, the input values are treated as parameters and passed separately, preventing any potential SQL-based attacks.