42.3k views
4 votes
A parameterized query, sometimes called a _____________, uses a prebuilt SQL statement to prevent SQL-based attacks. Variables from the application are fed to the query, rather than building a custom query when the application needs data.

User Yokissa
by
8.5k points

1 Answer

5 votes

Final answer:

A parameterized query, sometimes called a prepared statement, uses a prebuilt SQL statement to prevent SQL-based attacks. Variables from the application are fed to the query, rather than building a custom query when the application needs data.

Step-by-step explanation:

A parameterized query, sometimes called a prepared statement, uses a prebuilt SQL statement to prevent SQL-based attacks. Variables from the application are fed to the query, rather than building a custom query when the application needs data.

This approach protects against SQL injection attacks, where attackers manipulate input fields to execute unauthorized SQL commands.

For example, let's say we have a login page where users enter their username and password. Instead of constructing the SQL query using their input directly, we can use a parameterized query. This way, the input values are treated as parameters and passed separately, preventing any potential SQL-based attacks.

User Davidpauljunior
by
8.1k points