Forem: Basant The latest articles on Forem by Basant (@basant). https://forem.com/basant https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F1283841%2F7d45c00e-1e50-4fd3-9265-3e567f51f20f.jpg Forem: Basant https://forem.com/basant en SQL parameterization Basant Fri, 14 Nov 2025 11:31:34 +0000 https://forem.com/sinceweb/sql-parameterization-2cgh https://forem.com/sinceweb/sql-parameterization-2cgh <h1> 1) Plain-language definition &amp; core idea </h1> <p>A <strong>parameterized query</strong> is a SQL statement written with placeholders (parameters) instead of directly embedding user values into the SQL string. The application or driver sends the SQL text with placeholders to the database and sends the parameter <em>values</em> separately. The database treats parameter values as <em>data only</em> (not SQL), so malicious characters inside the values cannot change the SQL structure — that’s why parameterization prevents SQL injection.</p> <p>Example (plain):</p> <ul> <li>Unsafe: <code>'SELECT * FROM Users WHERE username = ''' + username + ''';'</code> (string concatenation)</li> <li>Safe (parameterized): <code>SELECT * FROM Users WHERE username = @username;</code> plus bind <code>@username = 'alice'</code> </li> </ul> <h1> 2) How placeholders work (short) </h1> <ul> <li>Placeholder appears in SQL text (e.g., <code>@name</code>, <code>?</code>, <code>$1</code>).</li> <li>SQL text and parameter metadata are sent/compiled (server-side or driver-side).</li> <li>Parameter values are sent separately and bound to placeholders.</li> <li>The DB engine compiles/optimizes the statement using the placeholders; values are injected into plan as typed data, <em>not as SQL code</em>.</li> </ul> <h1> 3) Simple SELECT filter: unsafe vs safe (SQL Server and MySQL examples) </h1> <h3> Unsafe — string concatenation (vulnerable) </h3> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code><span class="c1">-- DO NOT RUN with untrusted input</span> <span class="k">DECLARE</span> <span class="o">@</span><span class="n">username</span> <span class="n">NVARCHAR</span><span class="p">(</span><span class="mi">100</span><span class="p">)</span> <span class="o">=</span> <span class="s1">'alice</span><span class="se">''</span><span class="s1">; DROP TABLE Users; --'</span><span class="p">;</span> <span class="k">EXEC</span><span class="p">(</span><span class="s1">'SELECT * FROM Users WHERE username = </span><span class="se">''</span><span class="s1">'</span> <span class="o">+</span> <span class="o">@</span><span class="n">username</span> <span class="o">+</span> <span class="s1">'</span><span class="se">''</span><span class="s1">;'</span><span class="p">);</span> </code></pre> </div> <p>If <code>@username</code> contains <code>alice'; DROP TABLE Users; --</code> it becomes executable SQL.</p> <h3> Safe — parameterized (SQL Server) </h3> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code><span class="c1">-- SQL Server: parameterized</span> <span class="k">DECLARE</span> <span class="o">@</span><span class="n">username</span> <span class="n">NVARCHAR</span><span class="p">(</span><span class="mi">100</span><span class="p">)</span> <span class="o">=</span> <span class="s1">'alice'</span><span class="p">;</span> <span class="k">SELECT</span> <span class="o">*</span> <span class="k">FROM</span> <span class="n">Users</span> <span class="k">WHERE</span> <span class="n">username</span> <span class="o">=</span> <span class="o">@</span><span class="n">username</span><span class="p">;</span> <span class="c1">-- @username is bound as NVARCHAR, treated as data.</span> </code></pre> </div> <h3> Safe — parameterized (MySQL client-style placeholder) </h3> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code><span class="c1">-- Example using a client/driver that supports ? placeholders:</span> <span class="k">SELECT</span> <span class="o">*</span> <span class="k">FROM</span> <span class="n">Users</span> <span class="k">WHERE</span> <span class="n">username</span> <span class="o">=</span> <span class="o">?</span><span class="p">;</span> <span class="c1">-- The driver binds a string value for the single ? placeholder.</span> </code></pre> </div> <h1> 4) Prepared statements — what and why </h1> <p><strong>Prepared statement</strong> = compile/parse SQL once (with placeholders) and then execute it multiple times with different bound values. Benefits:</p> <ul> <li>Avoid repeated parsing/compilation overhead.</li> <li>Enable plan reuse and caching (performance).</li> <li>Adds an explicit separation between SQL and data (safety).</li> <li>Some drivers/servers support server-side prepared statements for additional performance.</li> </ul> <h1> 5) Placeholder styles across systems — quick reference </h1> <ul> <li> <strong>SQL Server / T-SQL:</strong> <code>@name</code> (named parameters). Example: <code>@UserId</code> </li> <li> <strong>MySQL (client drivers):</strong> <code>?</code> (positional) — many drivers use <code>?</code>. MySQL server-side prepared statements also use <code>?</code> and <code>EXECUTE ... USING</code>.</li> <li> <strong>PostgreSQL:</strong> <code>$1</code>, <code>$2</code> (positional) for server-side PREPARE or libpq parameterization. Some drivers allow named-style binding client-side.</li> <li> <strong>Driver vs server:</strong> Some drivers emulate prepared statements client-side (substitute placeholders safely), others use server-side PREPARE. The placeholder syntax depends on driver and server.</li> </ul> <h1> 6) SQL Server: prepared statements, stored procedures, and examples </h1> <h2> 6.1 Named parameter example (ad hoc query) </h2> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code><span class="c1">-- SQL Server ad-hoc, parameters are simple variables</span> <span class="k">DECLARE</span> <span class="o">@</span><span class="n">MinAge</span> <span class="nb">INT</span> <span class="o">=</span> <span class="mi">25</span><span class="p">;</span> <span class="k">SELECT</span> <span class="n">Id</span><span class="p">,</span> <span class="n">Name</span> <span class="k">FROM</span> <span class="n">Person</span> <span class="k">WHERE</span> <span class="n">Age</span> <span class="o">&gt;=</span> <span class="o">@</span><span class="n">MinAge</span><span class="p">;</span> <span class="c1">-- @MinAge is bound locally in the batch</span> </code></pre> </div> <h2> 6.2 Stored procedure — single input parameter </h2> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code><span class="k">CREATE</span> <span class="k">PROCEDURE</span> <span class="n">dbo</span><span class="p">.</span><span class="n">GetUsersByCountry</span> <span class="o">@</span><span class="n">Country</span> <span class="n">NVARCHAR</span><span class="p">(</span><span class="mi">100</span><span class="p">)</span> <span class="k">AS</span> <span class="k">BEGIN</span> <span class="k">SET</span> <span class="n">NOCOUNT</span> <span class="k">ON</span><span class="p">;</span> <span class="k">SELECT</span> <span class="n">UserId</span><span class="p">,</span> <span class="n">Username</span><span class="p">,</span> <span class="n">Country</span> <span class="k">FROM</span> <span class="n">Users</span> <span class="k">WHERE</span> <span class="n">Country</span> <span class="o">=</span> <span class="o">@</span><span class="n">Country</span><span class="p">;</span> <span class="k">END</span><span class="p">;</span> <span class="k">GO</span> <span class="c1">-- Execute:</span> <span class="k">EXEC</span> <span class="n">dbo</span><span class="p">.</span><span class="n">GetUsersByCountry</span> <span class="o">@</span><span class="n">Country</span> <span class="o">=</span> <span class="s1">'Nepal'</span><span class="p">;</span> </code></pre> </div> <p><strong>Notes:</strong> stored procedure parameters are typed in the <code>CREATE PROCEDURE</code> header; call with <code>EXEC proc @p = value</code> or positional <code>EXEC proc 'Nepal'</code>.</p> <h2> 6.3 Stored procedure — multiple parameters, joins and filters </h2> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code><span class="k">CREATE</span> <span class="k">PROCEDURE</span> <span class="n">dbo</span><span class="p">.</span><span class="n">SearchOrders</span> <span class="o">@</span><span class="n">CustomerId</span> <span class="nb">INT</span> <span class="o">=</span> <span class="k">NULL</span><span class="p">,</span> <span class="o">@</span><span class="n">StartDate</span> <span class="nb">DATE</span> <span class="o">=</span> <span class="k">NULL</span><span class="p">,</span> <span class="o">@</span><span class="n">EndDate</span> <span class="nb">DATE</span> <span class="o">=</span> <span class="k">NULL</span> <span class="k">AS</span> <span class="k">BEGIN</span> <span class="k">SET</span> <span class="n">NOCOUNT</span> <span class="k">ON</span><span class="p">;</span> <span class="k">SELECT</span> <span class="n">o</span><span class="p">.</span><span class="n">OrderId</span><span class="p">,</span> <span class="n">o</span><span class="p">.</span><span class="n">OrderDate</span><span class="p">,</span> <span class="k">c</span><span class="p">.</span><span class="n">CustomerName</span><span class="p">,</span> <span class="n">o</span><span class="p">.</span><span class="n">Total</span> <span class="k">FROM</span> <span class="n">Orders</span> <span class="n">o</span> <span class="k">JOIN</span> <span class="n">Customers</span> <span class="k">c</span> <span class="k">ON</span> <span class="k">c</span><span class="p">.</span><span class="n">CustomerId</span> <span class="o">=</span> <span class="n">o</span><span class="p">.</span><span class="n">CustomerId</span> <span class="k">WHERE</span> <span class="p">(</span><span class="o">@</span><span class="n">CustomerId</span> <span class="k">IS</span> <span class="k">NULL</span> <span class="k">OR</span> <span class="n">o</span><span class="p">.</span><span class="n">CustomerId</span> <span class="o">=</span> <span class="o">@</span><span class="n">CustomerId</span><span class="p">)</span> <span class="k">AND</span> <span class="p">(</span><span class="o">@</span><span class="n">StartDate</span> <span class="k">IS</span> <span class="k">NULL</span> <span class="k">OR</span> <span class="n">o</span><span class="p">.</span><span class="n">OrderDate</span> <span class="o">&gt;=</span> <span class="o">@</span><span class="n">StartDate</span><span class="p">)</span> <span class="k">AND</span> <span class="p">(</span><span class="o">@</span><span class="n">EndDate</span> <span class="k">IS</span> <span class="k">NULL</span> <span class="k">OR</span> <span class="n">o</span><span class="p">.</span><span class="n">OrderDate</span> <span class="o">&lt;=</span> <span class="o">@</span><span class="n">EndDate</span><span class="p">);</span> <span class="k">END</span><span class="p">;</span> <span class="k">GO</span> <span class="c1">-- Examples:</span> <span class="k">EXEC</span> <span class="n">dbo</span><span class="p">.</span><span class="n">SearchOrders</span> <span class="o">@</span><span class="n">CustomerId</span> <span class="o">=</span> <span class="mi">42</span><span class="p">;</span> <span class="k">EXEC</span> <span class="n">dbo</span><span class="p">.</span><span class="n">SearchOrders</span> <span class="o">@</span><span class="n">StartDate</span> <span class="o">=</span> <span class="s1">'2025-01-01'</span><span class="p">,</span> <span class="o">@</span><span class="n">EndDate</span> <span class="o">=</span> <span class="s1">'2025-12-31'</span><span class="p">;</span> </code></pre> </div> <p><strong>Why this supports reuse &amp; safety:</strong> The same SQL logic runs for many parameter combinations; user input never changes SQL structure.</p> <h2> 6.4 Dynamic SQL safely (SQL Server — <code>sp_executesql</code>) </h2> <p>When you must build SQL strings (e.g., variable table names), use <code>sp_executesql</code> with parameters:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code><span class="k">DECLARE</span> <span class="o">@</span><span class="k">sql</span> <span class="n">NVARCHAR</span><span class="p">(</span><span class="k">MAX</span><span class="p">);</span> <span class="k">DECLARE</span> <span class="o">@</span><span class="n">minPrice</span> <span class="nb">DECIMAL</span><span class="p">(</span><span class="mi">10</span><span class="p">,</span><span class="mi">2</span><span class="p">)</span> <span class="o">=</span> <span class="mi">100</span><span class="p">.</span><span class="mi">00</span><span class="p">;</span> <span class="k">SET</span> <span class="o">@</span><span class="k">sql</span> <span class="o">=</span> <span class="n">N</span><span class="s1">' SELECT p.ProductId, p.Name, p.Price FROM dbo.Products p WHERE p.Price &gt;= @minPrice '</span><span class="p">;</span> <span class="k">EXEC</span> <span class="n">sp_executesql</span> <span class="o">@</span><span class="k">sql</span><span class="p">,</span> <span class="n">N</span><span class="s1">'@minPrice DECIMAL(10,2)'</span><span class="p">,</span> <span class="o">@</span><span class="n">minPrice</span> <span class="o">=</span> <span class="o">@</span><span class="n">minPrice</span><span class="p">;</span> </code></pre> </div> <p><strong>Key:</strong> the variable <code>@minPrice</code> is passed separately to <code>sp_executesql</code> so the value is bound safely.</p> <p>If you need to inject identifiers (table/column names), validate/sanitize them against a whitelist before concatenation.</p> <h1> 7) MySQL: prepared statements and examples </h1> <h2> 7.1 Client-driver example (positional <code>?</code>) </h2> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code><span class="c1">-- Client code uses:</span> <span class="k">SELECT</span> <span class="n">id</span><span class="p">,</span> <span class="n">username</span> <span class="k">FROM</span> <span class="n">users</span> <span class="k">WHERE</span> <span class="n">email</span> <span class="o">=</span> <span class="o">?</span> <span class="k">AND</span> <span class="n">active</span> <span class="o">=</span> <span class="o">?</span><span class="p">;</span> <span class="c1">-- Driver binds first ? to email string, second ? to boolean/integer.</span> </code></pre> </div> <h2> 7.2 Server-side PREPARE / EXECUTE (MySQL) </h2> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code><span class="c1">-- Server-side prepare example</span> <span class="k">SET</span> <span class="o">@</span><span class="k">sql</span> <span class="o">=</span> <span class="s1">'SELECT id, username FROM users WHERE age &gt;= ? AND city = ?'</span><span class="p">;</span> <span class="k">PREPARE</span> <span class="n">stmt</span> <span class="k">FROM</span> <span class="o">@</span><span class="k">sql</span><span class="p">;</span> <span class="k">SET</span> <span class="o">@</span><span class="n">age</span> <span class="o">=</span> <span class="mi">30</span><span class="p">;</span> <span class="k">SET</span> <span class="o">@</span><span class="n">city</span> <span class="o">=</span> <span class="s1">'Kathmandu'</span><span class="p">;</span> <span class="k">EXECUTE</span> <span class="n">stmt</span> <span class="k">USING</span> <span class="o">@</span><span class="n">age</span><span class="p">,</span> <span class="o">@</span><span class="n">city</span><span class="p">;</span> <span class="k">DEALLOCATE</span> <span class="k">PREPARE</span> <span class="n">stmt</span><span class="p">;</span> </code></pre> </div> <p><strong>Notes:</strong> MySQL <code>EXECUTE ... USING</code> requires user-defined variables (e.g., <code>@age</code>). Many client drivers skip manual PREPARE and perform binds using <code>?</code>.</p> <h2> 7.3 Stored procedure (MySQL) </h2> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code><span class="k">DELIMITER</span> <span class="err">$$</span> <span class="k">CREATE</span> <span class="k">PROCEDURE</span> <span class="n">GetProductsByCategory</span><span class="p">(</span><span class="k">IN</span> <span class="n">p_category</span> <span class="nb">VARCHAR</span><span class="p">(</span><span class="mi">100</span><span class="p">))</span> <span class="k">BEGIN</span> <span class="k">SELECT</span> <span class="n">ProductId</span><span class="p">,</span> <span class="n">Name</span><span class="p">,</span> <span class="n">Price</span> <span class="k">FROM</span> <span class="n">Products</span> <span class="k">WHERE</span> <span class="n">Category</span> <span class="o">=</span> <span class="n">p_category</span><span class="p">;</span> <span class="k">END</span><span class="err">$$</span> <span class="k">DELIMITER</span> <span class="p">;</span> <span class="c1">-- Execute:</span> <span class="k">CALL</span> <span class="n">GetProductsByCategory</span><span class="p">(</span><span class="s1">'Beverages'</span><span class="p">);</span> </code></pre> </div> <h2> 7.4 Safe dynamic SQL (MySQL) </h2> <p>If building SQL with identifiers, whitelist them. For values, use prepared statement placeholders with <code>PREPARE</code> + <code>EXECUTE ... USING</code>.</p> <h1> 8) PostgreSQL: placeholders &amp; prepared statements </h1> <h2> 8.1 Ad-hoc query using libpq ($1 style) </h2> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code><span class="c1">-- Example prepared on server or used by libpq: placeholders are $1, $2</span> <span class="k">SELECT</span> <span class="n">id</span><span class="p">,</span> <span class="n">name</span> <span class="k">FROM</span> <span class="n">employees</span> <span class="k">WHERE</span> <span class="n">department</span> <span class="o">=</span> <span class="err">$</span><span class="mi">1</span> <span class="k">AND</span> <span class="n">hired</span> <span class="o">&gt;=</span> <span class="err">$</span><span class="mi">2</span><span class="p">;</span> <span class="c1">-- $1 and $2 are bound by the client/driver.</span> </code></pre> </div> <h2> 8.2 Server-side PREPARE / EXECUTE (Postgres) </h2> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code><span class="k">PREPARE</span> <span class="n">search_emps</span><span class="p">(</span><span class="nb">text</span><span class="p">,</span> <span class="nb">date</span><span class="p">)</span> <span class="k">AS</span> <span class="k">SELECT</span> <span class="n">id</span><span class="p">,</span> <span class="n">name</span> <span class="k">FROM</span> <span class="n">employees</span> <span class="k">WHERE</span> <span class="n">department</span> <span class="o">=</span> <span class="err">$</span><span class="mi">1</span> <span class="k">AND</span> <span class="n">hired</span> <span class="o">&gt;=</span> <span class="err">$</span><span class="mi">2</span><span class="p">;</span> <span class="k">EXECUTE</span> <span class="n">search_emps</span><span class="p">(</span><span class="s1">'Sales'</span><span class="p">,</span> <span class="s1">'2024-01-01'</span><span class="p">);</span> <span class="k">DEALLOCATE</span> <span class="n">search_emps</span><span class="p">;</span> </code></pre> </div> <h2> 8.3 Dynamic SQL inside PL/pgSQL with parameters </h2> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code><span class="k">CREATE</span> <span class="k">OR</span> <span class="k">REPLACE</span> <span class="k">FUNCTION</span> <span class="n">get_table_count</span><span class="p">(</span><span class="n">tbl</span> <span class="nb">TEXT</span><span class="p">)</span> <span class="k">RETURNS</span> <span class="nb">BIGINT</span> <span class="k">AS</span> <span class="err">$$</span> <span class="k">DECLARE</span> <span class="n">cnt</span> <span class="nb">BIGINT</span><span class="p">;</span> <span class="k">sql</span> <span class="nb">TEXT</span><span class="p">;</span> <span class="k">BEGIN</span> <span class="c1">-- Validate table name against allowed list to avoid injection</span> <span class="n">IF</span> <span class="n">tbl</span> <span class="k">NOT</span> <span class="k">IN</span> <span class="p">(</span><span class="s1">'employees'</span><span class="p">,</span> <span class="s1">'departments'</span><span class="p">)</span> <span class="k">THEN</span> <span class="n">RAISE</span> <span class="n">EXCEPTION</span> <span class="s1">'Invalid table name'</span><span class="p">;</span> <span class="k">END</span> <span class="n">IF</span><span class="p">;</span> <span class="k">sql</span> <span class="p">:</span><span class="o">=</span> <span class="n">format</span><span class="p">(</span><span class="s1">'SELECT count(*) FROM %I'</span><span class="p">,</span> <span class="n">tbl</span><span class="p">);</span> <span class="c1">-- %I quotes identifier</span> <span class="k">EXECUTE</span> <span class="k">sql</span> <span class="k">INTO</span> <span class="n">cnt</span><span class="p">;</span> <span class="k">RETURN</span> <span class="n">cnt</span><span class="p">;</span> <span class="k">END</span><span class="p">;</span> <span class="err">$$</span> <span class="k">LANGUAGE</span> <span class="n">plpgsql</span><span class="p">;</span> </code></pre> </div> <p><code>format(... %I)</code> safely formats an identifier.</p> <h1> 9) Application-layer example — C# ADO.NET (SqlCommand) </h1> <h3> Good pattern (typed binding) </h3> <div class="highlight js-code-highlight"> <pre class="highlight csharp"><code><span class="k">using</span> <span class="nn">System.Data</span><span class="p">;</span> <span class="k">using</span> <span class="nn">System.Data.SqlClient</span><span class="p">;</span> <span class="kt">string</span> <span class="n">connStr</span> <span class="p">=</span> <span class="s">"..."</span><span class="p">;</span> <span class="k">using</span><span class="p">(</span><span class="n">SqlConnection</span> <span class="n">conn</span> <span class="p">=</span> <span class="k">new</span> <span class="nf">SqlConnection</span><span class="p">(</span><span class="n">connStr</span><span class="p">))</span> <span class="p">{</span> <span class="n">conn</span><span class="p">.</span><span class="nf">Open</span><span class="p">();</span> <span class="k">using</span><span class="p">(</span><span class="n">SqlCommand</span> <span class="n">cmd</span> <span class="p">=</span> <span class="k">new</span> <span class="nf">SqlCommand</span><span class="p">(</span> <span class="s">"SELECT UserId, Username FROM Users WHERE Email = @email AND IsActive = @active;"</span><span class="p">,</span> <span class="n">conn</span><span class="p">))</span> <span class="p">{</span> <span class="n">cmd</span><span class="p">.</span><span class="n">Parameters</span><span class="p">.</span><span class="nf">Add</span><span class="p">(</span><span class="s">"@email"</span><span class="p">,</span> <span class="n">SqlDbType</span><span class="p">.</span><span class="n">NVarChar</span><span class="p">,</span> <span class="m">256</span><span class="p">).</span><span class="n">Value</span> <span class="p">=</span> <span class="n">userEmail</span><span class="p">;</span> <span class="n">cmd</span><span class="p">.</span><span class="n">Parameters</span><span class="p">.</span><span class="nf">Add</span><span class="p">(</span><span class="s">"@active"</span><span class="p">,</span> <span class="n">SqlDbType</span><span class="p">.</span><span class="n">Bit</span><span class="p">).</span><span class="n">Value</span> <span class="p">=</span> <span class="k">true</span><span class="p">;</span> <span class="k">using</span><span class="p">(</span><span class="n">SqlDataReader</span> <span class="n">r</span> <span class="p">=</span> <span class="n">cmd</span><span class="p">.</span><span class="nf">ExecuteReader</span><span class="p">())</span> <span class="p">{</span> <span class="k">while</span><span class="p">(</span><span class="n">r</span><span class="p">.</span><span class="nf">Read</span><span class="p">())</span> <span class="p">{</span> <span class="cm">/* ... */</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p><strong>Notes:</strong></p> <ul> <li>Prefer <code>Parameters.Add()</code> with explicit <code>SqlDbType</code> and size for correctness/plan stability.</li> <li> <code>AddWithValue()</code> is common but can cause type inference issues (e.g., NVARCHAR vs VARCHAR) and suboptimal plans: </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight csharp"><code><span class="c1">// Simpler but less recommended:</span> <span class="n">cmd</span><span class="p">.</span><span class="n">Parameters</span><span class="p">.</span><span class="nf">AddWithValue</span><span class="p">(</span><span class="s">"@email"</span><span class="p">,</span> <span class="n">userEmail</span><span class="p">);</span> <span class="n">cmd</span><span class="p">.</span><span class="n">Parameters</span><span class="p">.</span><span class="nf">AddWithValue</span><span class="p">(</span><span class="s">"@active"</span><span class="p">,</span> <span class="k">true</span><span class="p">);</span> </code></pre> </div> <h3> Mapping: </h3> <ul> <li> <code>@param</code> in SQL Server → <code>SqlCommand</code> parameter name <code>@param</code> </li> <li> <code>?</code> (MySQL) → <code>MySqlCommand</code> parameter markers depend on driver (e.g., <code>?</code> or <code>@p0</code>), driver docs must be consulted.</li> </ul> <h1> 10) Why parameter binding neutralizes injection (concise) </h1> <p>Injection occurs when user input is interpreted as SQL syntax. With parameter binding:</p> <ul> <li>The SQL parser sees placeholders — not user text — when parsing/compiling.</li> <li>Bound values are assigned <em>as typed values</em>; any characters they contain (quotes, semicolons) are data, not SQL tokens. Thus <code>'; DROP TABLE Users; --</code> becomes a string value, not an executable clause.</li> </ul> <h3> Small attack example (unsafe) — MySQL / concatenation </h3> <p>Unsafe:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code><span class="c1">-- Suppose user input: alice' OR '1'='1</span> <span class="k">SET</span> <span class="o">@</span><span class="n">q</span> <span class="o">=</span> <span class="n">CONCAT</span><span class="p">(</span><span class="s1">'SELECT * FROM users WHERE username = </span><span class="se">''</span><span class="s1">'</span><span class="p">,</span> <span class="o">@</span><span class="n">userInput</span><span class="p">,</span> <span class="s1">'</span><span class="se">''</span><span class="s1">;'</span><span class="p">);</span> <span class="k">PREPARE</span> <span class="n">st</span> <span class="k">FROM</span> <span class="o">@</span><span class="n">q</span><span class="p">;</span> <span class="k">EXECUTE</span> <span class="n">st</span><span class="p">;</span> </code></pre> </div> <p>This yields <code>... WHERE username = 'alice' OR '1'='1'</code> — attacker bypasses authentication.</p> <p>Safe parameterized:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code><span class="k">SELECT</span> <span class="o">*</span> <span class="k">FROM</span> <span class="n">users</span> <span class="k">WHERE</span> <span class="n">username</span> <span class="o">=</span> <span class="o">?</span><span class="p">;</span> <span class="c1">-- Bind ? = "alice' OR '1'='1" -&gt; treated as literal string; no bypass.</span> </code></pre> </div> <h1> 11) Dynamic SQL — safe patterns </h1> <ul> <li> <strong>SQL Server:</strong> use <code>sp_executesql</code> with parameter placeholders, pass parameter definitions and values separately.</li> <li> <strong>Postgres:</strong> use <code>EXECUTE</code> with <code>format()</code> and <code>%I</code> for identifiers, but pass values as parameters to <code>EXECUTE ... USING</code>.</li> <li> <strong>MySQL:</strong> use <code>PREPARE</code> + <code>EXECUTE ... USING</code> and user variables.</li> </ul> <p><strong>Rule of thumb:</strong> Never inject unvalidated user data into SQL text. If you must inject identifiers (table/column names), <strong>whitelist</strong> allowed values and/or use proper identifier quoting functions.</p> <h1> 12) Performance notes </h1> <ul> <li>Prepared statements and stored procedures can reduce parse/compile overhead on repeated queries.</li> <li>Plan caching: typed parameters and consistent parameter patterns help the optimizer reuse plans.</li> <li>Beware of parameter sniffing (SQL Server): the plan created for a specific parameter value may be suboptimal for other values. Techniques: RECOMPILE hints, parameterization strategies, or OPTIMIZE FOR.</li> <li>Overhead: creating many one-time server-side prepared statements may not help; reuse is key.</li> <li>Use proper indexing and correct parameter types to achieve stable performance.</li> </ul> <h1> 13) Practical use cases </h1> <ul> <li>Login authentication (<code>SELECT ... WHERE username = @username AND passwordHash = @hash</code>)</li> <li>User-driven filtering (search forms with many optional parameters — combine with <code>(@p IS NULL OR col = @p)</code> pattern)</li> <li>Inserts/Updates from forms (bind each form field to explicit parameter)</li> <li>Batch operations: same prepared statement executed with different parameter sets.</li> </ul> <h1> 14) Best practices (short) </h1> <ul> <li><strong>Always parameterize user input.</strong></li> <li>Use <strong>typed parameters</strong> (avoid blind <code>AddWithValue</code> where type matters).</li> <li> <strong>Do not</strong> build SQL by concatenating user strings (unless using a safe whitelist method for identifiers).</li> <li>When using dynamic SQL, <strong>use parameterized execution</strong> (<code>sp_executesql</code>, <code>EXECUTE ... USING</code>, <code>format(%I)</code> with validation).</li> <li>Validate or whitelist identifiers inserted into SQL.</li> <li>Use stored procedures for business logic reuse and to centralize access control when appropriate.</li> <li>Monitor and address parameter sniffing issues (SQL Server).</li> </ul> <h1> 15) Exercises (with solutions) </h1> <h3> Exercise 1 — Parameterized SELECT (SQL Server) </h3> <p><strong>Task:</strong> Write a parameterized query that selects <code>Id, Email</code> from <code>Customers</code> where <code>Country = @country</code> and <code>IsActive = @active</code>.</p> <p><strong>Solution:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code><span class="k">DECLARE</span> <span class="o">@</span><span class="n">country</span> <span class="n">NVARCHAR</span><span class="p">(</span><span class="mi">100</span><span class="p">)</span> <span class="o">=</span> <span class="s1">'Nepal'</span><span class="p">;</span> <span class="k">DECLARE</span> <span class="o">@</span><span class="n">active</span> <span class="nb">BIT</span> <span class="o">=</span> <span class="mi">1</span><span class="p">;</span> <span class="k">SELECT</span> <span class="n">Id</span><span class="p">,</span> <span class="n">Email</span> <span class="k">FROM</span> <span class="n">Customers</span> <span class="k">WHERE</span> <span class="n">Country</span> <span class="o">=</span> <span class="o">@</span><span class="n">country</span> <span class="k">AND</span> <span class="n">IsActive</span> <span class="o">=</span> <span class="o">@</span><span class="n">active</span><span class="p">;</span> </code></pre> </div> <h3> Exercise 2 — Parameterized INSERT (MySQL via driver syntax) </h3> <p><strong>Task:</strong> Prepare an INSERT for <code>Products(Name, Price)</code> with two positional parameters.</p> <p><strong>Solution (driver SQL text):</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code><span class="k">INSERT</span> <span class="k">INTO</span> <span class="n">Products</span> <span class="p">(</span><span class="n">Name</span><span class="p">,</span> <span class="n">Price</span><span class="p">)</span> <span class="k">VALUES</span> <span class="p">(</span><span class="o">?</span><span class="p">,</span> <span class="o">?</span><span class="p">);</span> <span class="c1">-- Driver binds first ? to string Name, second ? to decimal Price</span> </code></pre> </div> <h3> Exercise 3 — Stored procedure with two parameters (SQL Server) </h3> <p><strong>Task:</strong> Create a proc <code>AddLog</code> that inserts into <code>Logs(Message, CreatedAt)</code>.</p> <p><strong>Solution:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code><span class="k">CREATE</span> <span class="k">PROCEDURE</span> <span class="n">dbo</span><span class="p">.</span><span class="n">AddLog</span> <span class="o">@</span><span class="n">Message</span> <span class="n">NVARCHAR</span><span class="p">(</span><span class="mi">4000</span><span class="p">),</span> <span class="o">@</span><span class="n">CreatedAt</span> <span class="nb">DATETIME</span> <span class="o">=</span> <span class="k">NULL</span> <span class="k">AS</span> <span class="k">BEGIN</span> <span class="k">SET</span> <span class="n">NOCOUNT</span> <span class="k">ON</span><span class="p">;</span> <span class="k">INSERT</span> <span class="k">INTO</span> <span class="n">Logs</span> <span class="p">(</span><span class="n">Message</span><span class="p">,</span> <span class="n">CreatedAt</span><span class="p">)</span> <span class="k">VALUES</span> <span class="p">(</span><span class="o">@</span><span class="n">Message</span><span class="p">,</span> <span class="k">ISNULL</span><span class="p">(</span><span class="o">@</span><span class="n">CreatedAt</span><span class="p">,</span> <span class="n">GETDATE</span><span class="p">()));</span> <span class="k">END</span><span class="p">;</span> <span class="k">GO</span> <span class="c1">-- Execute:</span> <span class="k">EXEC</span> <span class="n">dbo</span><span class="p">.</span><span class="n">AddLog</span> <span class="o">@</span><span class="n">Message</span> <span class="o">=</span> <span class="s1">'User logged in'</span><span class="p">,</span> <span class="o">@</span><span class="n">CreatedAt</span> <span class="o">=</span> <span class="k">NULL</span><span class="p">;</span> </code></pre> </div> <h3> Exercise 4 — Convert unsafe concatenated query to parameterized (Postgres) </h3> <p><strong>Unsafe:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code><span class="c1">-- DO NOT DO:</span> <span class="k">EXECUTE</span> <span class="s1">'SELECT * FROM orders WHERE order_no = </span><span class="se">''</span><span class="s1">'</span> <span class="o">||</span> <span class="n">p_order_no</span> <span class="o">||</span> <span class="s1">'</span><span class="se">''</span><span class="s1">'</span><span class="p">;</span> </code></pre> </div> <p><strong>Safe:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code><span class="c1">-- inside PL/pgSQL</span> <span class="k">EXECUTE</span> <span class="s1">'SELECT * FROM orders WHERE order_no = $1'</span> <span class="k">USING</span> <span class="n">p_order_no</span><span class="p">;</span> </code></pre> </div> <h1> 16) Mini-FAQ — common errors &amp; diagnosis </h1> <p><strong>Q: Placeholder mismatch (more values than placeholders)?</strong><br> A: Error will indicate number mismatch. Count placeholders and bound parameters; driver docs define placeholder counting (e.g., <code>?</code> are positional).</p> <p><strong>Q: Quoting errors (unexpected token near ')')?</strong><br> A: Often caused by concatenating strings. Use parameters instead. If using dynamic SQL, ensure text is built correctly and parameter placeholders match.</p> <p><strong>Q: Execution vs preparation scope (MySQL PREPARE)?</strong><br> A: MySQL server-side PREPARE uses user variables for <code>EXECUTE ... USING</code>. <code>PREPARE</code> lives until <code>DEALLOCATE PREPARE</code> or session end.</p> <p><strong>Q: AddWithValue gives slow queries / wrong type?</strong><br> A: <code>AddWithValue</code> infers type. Prefer <code>Add(name, SqlDbType, size).Value = value</code>.</p> <p><strong>Q: Why does plan change by parameter value?</strong><br> A: Parameter sniffing: the optimizer uses parameter value to generate a plan. Solutions: <code>OPTION (RECOMPILE)</code>, <code>OPTIMIZE FOR UNKNOWN</code>, or force plan stability with appropriate hints.</p> <p><strong>Q: Can I use parameters for table names?</strong><br> A: No — parameters apply to values, not identifiers. Use white-listed identifiers or carefully built quoted identifiers.</p> <h1> 17) Quick checklist (copy &amp; use) </h1> <ul> <li>[ ] Parameterize every user input (no string concatenation).</li> <li>[ ] Use typed parameters (specify db type and size).</li> <li>[ ] Use prepared statements or stored procedures for repeated queries.</li> <li>[ ] For dynamic SQL: pass values as parameters; whitelist/validate identifiers.</li> <li>[ ] Review driver docs for placeholder style (<code>?</code>, <code>$1</code>, <code>@name</code>).</li> <li>[ ] Test for SQL injection vectors during QA.</li> <li>[ ] Monitor performance and parameter sniffing behavior.</li> </ul> <h1> SQL Server — runnable script (schema, data, parameterized examples, stored procedures, safe dynamic SQL) </h1> <p>Save this as <code>param_examples_sqlserver.sql</code> and run in <strong>SQL Server Management Studio</strong> (SSMS) or with <code>sqlcmd</code>. This script is safe to run on a development DB — it creates tables, inserts sample data, and demonstrates parameterized queries, stored procedures (single &amp; multiple params), <code>sp_executesql</code> for safe dynamic SQL, and a commented unsafe concatenation example for illustration.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code><span class="c1">-- param_examples_sqlserver.sql</span> <span class="c1">-- Run in SSMS (select a database first) or:</span> <span class="c1">-- sqlcmd -S localhost -d YourDb -i param_examples_sqlserver.sql -U sa -P 'your_password'</span> <span class="c1">-- WARNING: Run on a development database only.</span> <span class="k">SET</span> <span class="n">NOCOUNT</span> <span class="k">ON</span><span class="p">;</span> <span class="c1">-- 1. Clean up existing objects (safe dev-only drop)</span> <span class="n">IF</span> <span class="n">OBJECT_ID</span><span class="p">(</span><span class="s1">'dbo.Orders'</span><span class="p">,</span> <span class="s1">'U'</span><span class="p">)</span> <span class="k">IS</span> <span class="k">NOT</span> <span class="k">NULL</span> <span class="k">DROP</span> <span class="k">TABLE</span> <span class="n">dbo</span><span class="p">.</span><span class="n">Orders</span><span class="p">;</span> <span class="n">IF</span> <span class="n">OBJECT_ID</span><span class="p">(</span><span class="s1">'dbo.Users'</span><span class="p">,</span> <span class="s1">'U'</span><span class="p">)</span> <span class="k">IS</span> <span class="k">NOT</span> <span class="k">NULL</span> <span class="k">DROP</span> <span class="k">TABLE</span> <span class="n">dbo</span><span class="p">.</span><span class="n">Users</span><span class="p">;</span> <span class="n">IF</span> <span class="n">OBJECT_ID</span><span class="p">(</span><span class="s1">'dbo.GetUsersByCountry'</span><span class="p">,</span> <span class="s1">'P'</span><span class="p">)</span> <span class="k">IS</span> <span class="k">NOT</span> <span class="k">NULL</span> <span class="k">DROP</span> <span class="k">PROCEDURE</span> <span class="n">dbo</span><span class="p">.</span><span class="n">GetUsersByCountry</span><span class="p">;</span> <span class="n">IF</span> <span class="n">OBJECT_ID</span><span class="p">(</span><span class="s1">'dbo.SearchOrders'</span><span class="p">,</span> <span class="s1">'P'</span><span class="p">)</span> <span class="k">IS</span> <span class="k">NOT</span> <span class="k">NULL</span> <span class="k">DROP</span> <span class="k">PROCEDURE</span> <span class="n">dbo</span><span class="p">.</span><span class="n">SearchOrders</span><span class="p">;</span> <span class="n">IF</span> <span class="n">OBJECT_ID</span><span class="p">(</span><span class="s1">'dbo.AddLog'</span><span class="p">,</span> <span class="s1">'P'</span><span class="p">)</span> <span class="k">IS</span> <span class="k">NOT</span> <span class="k">NULL</span> <span class="k">DROP</span> <span class="k">PROCEDURE</span> <span class="n">dbo</span><span class="p">.</span><span class="n">AddLog</span><span class="p">;</span> <span class="c1">-- 2. Create sample schema</span> <span class="k">CREATE</span> <span class="k">TABLE</span> <span class="n">dbo</span><span class="p">.</span><span class="n">Users</span> <span class="p">(</span> <span class="n">UserId</span> <span class="nb">INT</span> <span class="k">IDENTITY</span><span class="p">(</span><span class="mi">1</span><span class="p">,</span><span class="mi">1</span><span class="p">)</span> <span class="k">PRIMARY</span> <span class="k">KEY</span><span class="p">,</span> <span class="n">Username</span> <span class="n">NVARCHAR</span><span class="p">(</span><span class="mi">100</span><span class="p">)</span> <span class="k">NOT</span> <span class="k">NULL</span> <span class="k">UNIQUE</span><span class="p">,</span> <span class="n">Email</span> <span class="n">NVARCHAR</span><span class="p">(</span><span class="mi">256</span><span class="p">)</span> <span class="k">NOT</span> <span class="k">NULL</span><span class="p">,</span> <span class="n">IsActive</span> <span class="nb">BIT</span> <span class="k">NOT</span> <span class="k">NULL</span> <span class="k">DEFAULT</span> <span class="mi">1</span><span class="p">,</span> <span class="n">Country</span> <span class="n">NVARCHAR</span><span class="p">(</span><span class="mi">100</span><span class="p">)</span> <span class="k">NULL</span><span class="p">,</span> <span class="n">CreatedAt</span> <span class="n">DATETIME2</span> <span class="k">NOT</span> <span class="k">NULL</span> <span class="k">DEFAULT</span> <span class="n">SYSDATETIME</span><span class="p">()</span> <span class="p">);</span> <span class="k">CREATE</span> <span class="k">TABLE</span> <span class="n">dbo</span><span class="p">.</span><span class="n">Orders</span> <span class="p">(</span> <span class="n">OrderId</span> <span class="nb">INT</span> <span class="k">IDENTITY</span><span class="p">(</span><span class="mi">1</span><span class="p">,</span><span class="mi">1</span><span class="p">)</span> <span class="k">PRIMARY</span> <span class="k">KEY</span><span class="p">,</span> <span class="n">UserId</span> <span class="nb">INT</span> <span class="k">NOT</span> <span class="k">NULL</span> <span class="k">REFERENCES</span> <span class="n">dbo</span><span class="p">.</span><span class="n">Users</span><span class="p">(</span><span class="n">UserId</span><span class="p">),</span> <span class="n">OrderDate</span> <span class="nb">DATE</span> <span class="k">NOT</span> <span class="k">NULL</span><span class="p">,</span> <span class="n">Total</span> <span class="nb">DECIMAL</span><span class="p">(</span><span class="mi">10</span><span class="p">,</span><span class="mi">2</span><span class="p">)</span> <span class="k">NOT</span> <span class="k">NULL</span> <span class="p">);</span> <span class="c1">-- 3. Insert sample data</span> <span class="k">INSERT</span> <span class="k">INTO</span> <span class="n">dbo</span><span class="p">.</span><span class="n">Users</span> <span class="p">(</span><span class="n">Username</span><span class="p">,</span> <span class="n">Email</span><span class="p">,</span> <span class="n">IsActive</span><span class="p">,</span> <span class="n">Country</span><span class="p">)</span> <span class="k">VALUES</span> <span class="p">(</span><span class="s1">'alice'</span><span class="p">,</span> <span class="s1">'alice@example.com'</span><span class="p">,</span> <span class="mi">1</span><span class="p">,</span> <span class="s1">'Nepal'</span><span class="p">),</span> <span class="p">(</span><span class="s1">'bob'</span><span class="p">,</span> <span class="s1">'bob@example.com'</span><span class="p">,</span> <span class="mi">1</span><span class="p">,</span> <span class="s1">'USA'</span><span class="p">),</span> <span class="p">(</span><span class="s1">'mallory'</span><span class="p">,</span><span class="s1">'mallory@badguy.example'</span><span class="p">,</span> <span class="mi">0</span><span class="p">,</span> <span class="s1">'Nepal'</span><span class="p">);</span> <span class="k">INSERT</span> <span class="k">INTO</span> <span class="n">dbo</span><span class="p">.</span><span class="n">Orders</span> <span class="p">(</span><span class="n">UserId</span><span class="p">,</span> <span class="n">OrderDate</span><span class="p">,</span> <span class="n">Total</span><span class="p">)</span> <span class="k">VALUES</span> <span class="p">(</span><span class="mi">1</span><span class="p">,</span> <span class="s1">'2025-01-10'</span><span class="p">,</span> <span class="mi">120</span><span class="p">.</span><span class="mi">50</span><span class="p">),</span> <span class="p">(</span><span class="mi">1</span><span class="p">,</span> <span class="s1">'2025-03-25'</span><span class="p">,</span> <span class="mi">75</span><span class="p">.</span><span class="mi">00</span><span class="p">),</span> <span class="p">(</span><span class="mi">2</span><span class="p">,</span> <span class="s1">'2024-11-01'</span><span class="p">,</span> <span class="mi">2000</span><span class="p">.</span><span class="mi">00</span><span class="p">);</span> <span class="c1">-- 4. AD-HOC parameterized usage (T-SQL variables as parameters)</span> <span class="n">PRINT</span> <span class="s1">'--- Ad-hoc parameterized SELECT using T-SQL variables ---'</span><span class="p">;</span> <span class="k">DECLARE</span> <span class="o">@</span><span class="n">country</span> <span class="n">NVARCHAR</span><span class="p">(</span><span class="mi">100</span><span class="p">)</span> <span class="o">=</span> <span class="n">N</span><span class="s1">'Nepal'</span><span class="p">;</span> <span class="k">DECLARE</span> <span class="o">@</span><span class="n">isActive</span> <span class="nb">BIT</span> <span class="o">=</span> <span class="mi">1</span><span class="p">;</span> <span class="k">SELECT</span> <span class="n">UserId</span><span class="p">,</span> <span class="n">Username</span><span class="p">,</span> <span class="n">Email</span><span class="p">,</span> <span class="n">Country</span><span class="p">,</span> <span class="n">IsActive</span><span class="p">,</span> <span class="n">CreatedAt</span> <span class="k">FROM</span> <span class="n">dbo</span><span class="p">.</span><span class="n">Users</span> <span class="k">WHERE</span> <span class="n">Country</span> <span class="o">=</span> <span class="o">@</span><span class="n">country</span> <span class="k">AND</span> <span class="n">IsActive</span> <span class="o">=</span> <span class="o">@</span><span class="n">isActive</span><span class="p">;</span> <span class="c1">-- 5. Stored procedure: single input parameter</span> <span class="k">CREATE</span> <span class="k">PROCEDURE</span> <span class="n">dbo</span><span class="p">.</span><span class="n">GetUsersByCountry</span> <span class="o">@</span><span class="n">Country</span> <span class="n">NVARCHAR</span><span class="p">(</span><span class="mi">100</span><span class="p">)</span> <span class="k">AS</span> <span class="k">BEGIN</span> <span class="k">SET</span> <span class="n">NOCOUNT</span> <span class="k">ON</span><span class="p">;</span> <span class="k">SELECT</span> <span class="n">UserId</span><span class="p">,</span> <span class="n">Username</span><span class="p">,</span> <span class="n">Email</span><span class="p">,</span> <span class="n">Country</span><span class="p">,</span> <span class="n">IsActive</span> <span class="k">FROM</span> <span class="n">dbo</span><span class="p">.</span><span class="n">Users</span> <span class="k">WHERE</span> <span class="n">Country</span> <span class="o">=</span> <span class="o">@</span><span class="n">Country</span><span class="p">;</span> <span class="k">END</span><span class="p">;</span> <span class="k">GO</span> <span class="c1">-- Execute stored proc (named and positional)</span> <span class="n">PRINT</span> <span class="s1">'--- Execute dbo.GetUsersByCountry ---'</span><span class="p">;</span> <span class="k">EXEC</span> <span class="n">dbo</span><span class="p">.</span><span class="n">GetUsersByCountry</span> <span class="o">@</span><span class="n">Country</span> <span class="o">=</span> <span class="n">N</span><span class="s1">'Nepal'</span><span class="p">;</span> <span class="k">EXEC</span> <span class="n">dbo</span><span class="p">.</span><span class="n">GetUsersByCountry</span> <span class="n">N</span><span class="s1">'USA'</span><span class="p">;</span> <span class="c1">-- 6. Stored procedure: multiple parameters + JOINs + optional filters</span> <span class="k">CREATE</span> <span class="k">PROCEDURE</span> <span class="n">dbo</span><span class="p">.</span><span class="n">SearchOrders</span> <span class="o">@</span><span class="n">CustomerId</span> <span class="nb">INT</span> <span class="o">=</span> <span class="k">NULL</span><span class="p">,</span> <span class="c1">-- optional filter</span> <span class="o">@</span><span class="n">StartDate</span> <span class="nb">DATE</span> <span class="o">=</span> <span class="k">NULL</span><span class="p">,</span> <span class="c1">-- optional filter</span> <span class="o">@</span><span class="n">EndDate</span> <span class="nb">DATE</span> <span class="o">=</span> <span class="k">NULL</span> <span class="k">AS</span> <span class="k">BEGIN</span> <span class="k">SET</span> <span class="n">NOCOUNT</span> <span class="k">ON</span><span class="p">;</span> <span class="k">SELECT</span> <span class="n">o</span><span class="p">.</span><span class="n">OrderId</span><span class="p">,</span> <span class="n">o</span><span class="p">.</span><span class="n">OrderDate</span><span class="p">,</span> <span class="n">o</span><span class="p">.</span><span class="n">Total</span><span class="p">,</span> <span class="n">u</span><span class="p">.</span><span class="n">UserId</span><span class="p">,</span> <span class="n">u</span><span class="p">.</span><span class="n">Username</span><span class="p">,</span> <span class="n">u</span><span class="p">.</span><span class="n">Email</span> <span class="k">FROM</span> <span class="n">dbo</span><span class="p">.</span><span class="n">Orders</span> <span class="n">o</span> <span class="k">INNER</span> <span class="k">JOIN</span> <span class="n">dbo</span><span class="p">.</span><span class="n">Users</span> <span class="n">u</span> <span class="k">ON</span> <span class="n">u</span><span class="p">.</span><span class="n">UserId</span> <span class="o">=</span> <span class="n">o</span><span class="p">.</span><span class="n">UserId</span> <span class="k">WHERE</span> <span class="p">(</span><span class="o">@</span><span class="n">CustomerId</span> <span class="k">IS</span> <span class="k">NULL</span> <span class="k">OR</span> <span class="n">o</span><span class="p">.</span><span class="n">UserId</span> <span class="o">=</span> <span class="o">@</span><span class="n">CustomerId</span><span class="p">)</span> <span class="k">AND</span> <span class="p">(</span><span class="o">@</span><span class="n">StartDate</span> <span class="k">IS</span> <span class="k">NULL</span> <span class="k">OR</span> <span class="n">o</span><span class="p">.</span><span class="n">OrderDate</span> <span class="o">&gt;=</span> <span class="o">@</span><span class="n">StartDate</span><span class="p">)</span> <span class="k">AND</span> <span class="p">(</span><span class="o">@</span><span class="n">EndDate</span> <span class="k">IS</span> <span class="k">NULL</span> <span class="k">OR</span> <span class="n">o</span><span class="p">.</span><span class="n">OrderDate</span> <span class="o">&lt;=</span> <span class="o">@</span><span class="n">EndDate</span><span class="p">)</span> <span class="k">ORDER</span> <span class="k">BY</span> <span class="n">o</span><span class="p">.</span><span class="n">OrderDate</span><span class="p">;</span> <span class="k">END</span><span class="p">;</span> <span class="k">GO</span> <span class="n">PRINT</span> <span class="s1">'--- Execute dbo.SearchOrders examples ---'</span><span class="p">;</span> <span class="c1">-- By customer</span> <span class="k">EXEC</span> <span class="n">dbo</span><span class="p">.</span><span class="n">SearchOrders</span> <span class="o">@</span><span class="n">CustomerId</span> <span class="o">=</span> <span class="mi">1</span><span class="p">;</span> <span class="c1">-- By date range</span> <span class="k">EXEC</span> <span class="n">dbo</span><span class="p">.</span><span class="n">SearchOrders</span> <span class="o">@</span><span class="n">StartDate</span> <span class="o">=</span> <span class="s1">'2025-01-01'</span><span class="p">,</span> <span class="o">@</span><span class="n">EndDate</span> <span class="o">=</span> <span class="s1">'2025-12-31'</span><span class="p">;</span> <span class="c1">-- Combined</span> <span class="k">EXEC</span> <span class="n">dbo</span><span class="p">.</span><span class="n">SearchOrders</span> <span class="o">@</span><span class="n">CustomerId</span> <span class="o">=</span> <span class="mi">1</span><span class="p">,</span> <span class="o">@</span><span class="n">StartDate</span> <span class="o">=</span> <span class="s1">'2025-01-01'</span><span class="p">;</span> <span class="c1">-- 7. Parameterized dynamic SQL using sp_executesql (safe!)</span> <span class="c1">-- Use this when SQL text must be built dynamically but values must still be bound safely.</span> <span class="n">PRINT</span> <span class="s1">'--- Demonstrate safe dynamic SQL with sp_executesql ---'</span><span class="p">;</span> <span class="k">DECLARE</span> <span class="o">@</span><span class="k">sql</span> <span class="n">NVARCHAR</span><span class="p">(</span><span class="k">MAX</span><span class="p">);</span> <span class="k">DECLARE</span> <span class="o">@</span><span class="n">minTotal</span> <span class="nb">DECIMAL</span><span class="p">(</span><span class="mi">10</span><span class="p">,</span><span class="mi">2</span><span class="p">)</span> <span class="o">=</span> <span class="mi">100</span><span class="p">.</span><span class="mi">00</span><span class="p">;</span> <span class="k">SET</span> <span class="o">@</span><span class="k">sql</span> <span class="o">=</span> <span class="n">N</span><span class="s1">' SELECT o.OrderId, o.OrderDate, o.Total, u.Username FROM dbo.Orders o JOIN dbo.Users u ON u.UserId = o.UserId WHERE o.Total &gt;= @minTotal '</span><span class="p">;</span> <span class="c1">-- Note: parameter definition string and named parameter binding</span> <span class="k">EXEC</span> <span class="n">sp_executesql</span> <span class="o">@</span><span class="k">sql</span><span class="p">,</span> <span class="n">N</span><span class="s1">'@minTotal DECIMAL(10,2)'</span><span class="p">,</span> <span class="o">@</span><span class="n">minTotal</span> <span class="o">=</span> <span class="o">@</span><span class="n">minTotal</span><span class="p">;</span> <span class="c1">-- 8. Unsafe concatenation example (commented) — DO NOT EXECUTE WITH UNTRUSTED INPUT</span> <span class="c1">-- This shows how concatenation can lead to injection if user input is embedded directly.</span> <span class="c1">-- Example user input that would break logic: alice' OR '1'='1</span> <span class="c1">-- Unsafe (do NOT run using untrusted input):</span> <span class="c1">-- DECLARE @userInput NVARCHAR(200) = N'alice'' OR ''1''=''1';</span> <span class="c1">-- DECLARE @badsql NVARCHAR(MAX) = N'SELECT UserId, Username FROM dbo.Users WHERE Username = ''' + @userInput + N''';';</span> <span class="c1">-- PRINT @badsql; -- Shows the injected SQL</span> <span class="c1">-- EXEC(@badsql); -- Vulnerable if @userInput is attacker-controlled</span> <span class="c1">-- 9. Example converting unsafe to safe: use parameter instead of concatenation</span> <span class="n">PRINT</span> <span class="s1">'--- Safe equivalent (parameterized) to the above unsafe concatenation ---'</span><span class="p">;</span> <span class="k">DECLARE</span> <span class="o">@</span><span class="n">safeInput</span> <span class="n">NVARCHAR</span><span class="p">(</span><span class="mi">200</span><span class="p">)</span> <span class="o">=</span> <span class="n">N</span><span class="s1">'alice</span><span class="se">''</span><span class="s1"> OR </span><span class="se">''</span><span class="s1">1</span><span class="se">''</span><span class="s1">=</span><span class="se">''</span><span class="s1">1'</span><span class="p">;</span> <span class="c1">-- attacker string, treated as data</span> <span class="k">SELECT</span> <span class="n">UserId</span><span class="p">,</span> <span class="n">Username</span> <span class="k">FROM</span> <span class="n">dbo</span><span class="p">.</span><span class="n">Users</span> <span class="k">WHERE</span> <span class="n">Username</span> <span class="o">=</span> <span class="o">@</span><span class="n">safeInput</span><span class="p">;</span> <span class="c1">-- safe: value cannot change SQL structure</span> <span class="c1">-- 10. Demonstrate OUTPUT parameter and using a stored proc to insert (practical reuse)</span> <span class="k">CREATE</span> <span class="k">PROCEDURE</span> <span class="n">dbo</span><span class="p">.</span><span class="n">AddLog</span> <span class="o">@</span><span class="n">Message</span> <span class="n">NVARCHAR</span><span class="p">(</span><span class="mi">4000</span><span class="p">),</span> <span class="o">@</span><span class="n">CreatedAt</span> <span class="n">DATETIME2</span> <span class="o">=</span> <span class="k">NULL</span><span class="p">,</span> <span class="o">@</span><span class="n">LogId</span> <span class="nb">INT</span> <span class="k">OUTPUT</span> <span class="k">AS</span> <span class="k">BEGIN</span> <span class="k">SET</span> <span class="n">NOCOUNT</span> <span class="k">ON</span><span class="p">;</span> <span class="k">INSERT</span> <span class="k">INTO</span> <span class="n">dbo</span><span class="p">.</span><span class="n">Users</span> <span class="p">(</span><span class="n">Username</span><span class="p">,</span> <span class="n">Email</span><span class="p">,</span> <span class="n">IsActive</span><span class="p">,</span> <span class="n">Country</span><span class="p">,</span> <span class="n">CreatedAt</span><span class="p">)</span> <span class="k">VALUES</span> <span class="p">(</span><span class="s1">'__loguser__'</span><span class="p">,</span> <span class="s1">'log@example.com'</span><span class="p">,</span> <span class="mi">0</span><span class="p">,</span> <span class="s1">'Nowhere'</span><span class="p">,</span> <span class="k">ISNULL</span><span class="p">(</span><span class="o">@</span><span class="n">CreatedAt</span><span class="p">,</span> <span class="n">SYSDATETIME</span><span class="p">()));</span> <span class="k">SET</span> <span class="o">@</span><span class="n">LogId</span> <span class="o">=</span> <span class="n">SCOPE_IDENTITY</span><span class="p">();</span> <span class="k">END</span><span class="p">;</span> <span class="k">GO</span> <span class="c1">-- Note: Above AddLog uses Users table just for demo of OUTPUT — in real usage use a Logs table.</span> <span class="k">DECLARE</span> <span class="o">@</span><span class="n">newId</span> <span class="nb">INT</span><span class="p">;</span> <span class="k">EXEC</span> <span class="n">dbo</span><span class="p">.</span><span class="n">AddLog</span> <span class="o">@</span><span class="n">Message</span> <span class="o">=</span> <span class="n">N</span><span class="s1">'Test'</span><span class="p">,</span> <span class="o">@</span><span class="n">CreatedAt</span> <span class="o">=</span> <span class="k">NULL</span><span class="p">,</span> <span class="o">@</span><span class="n">LogId</span> <span class="o">=</span> <span class="o">@</span><span class="n">newId</span> <span class="k">OUTPUT</span><span class="p">;</span> <span class="n">PRINT</span> <span class="s1">'Inserted surrogate log row with id: '</span> <span class="o">+</span> <span class="k">CAST</span><span class="p">(</span><span class="o">@</span><span class="n">newId</span> <span class="k">AS</span> <span class="n">NVARCHAR</span><span class="p">(</span><span class="mi">20</span><span class="p">));</span> <span class="c1">-- 11. Demonstrate plan reuse note (examples you can run multiple times)</span> <span class="c1">-- Running sp_executesql with the same statement text (and parameters) enables plan caching and reuse.</span> <span class="n">PRINT</span> <span class="s1">'--- Running repeated parameterized exec to demonstrate plan reuse potential ---'</span><span class="p">;</span> <span class="k">DECLARE</span> <span class="o">@</span><span class="n">i</span> <span class="nb">INT</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> <span class="n">WHILE</span> <span class="o">@</span><span class="n">i</span> <span class="o">&lt;</span> <span class="mi">3</span> <span class="k">BEGIN</span> <span class="k">SET</span> <span class="o">@</span><span class="n">minTotal</span> <span class="o">=</span> <span class="mi">50</span><span class="p">.</span><span class="mi">00</span> <span class="o">+</span> <span class="o">@</span><span class="n">i</span> <span class="o">*</span> <span class="mi">25</span><span class="p">;</span> <span class="k">EXEC</span> <span class="n">sp_executesql</span> <span class="n">N</span><span class="s1">'SELECT COUNT(*) FROM dbo.Orders WHERE Total &gt;= @minTotal'</span><span class="p">,</span> <span class="n">N</span><span class="s1">'@minTotal DECIMAL(10,2)'</span><span class="p">,</span> <span class="o">@</span><span class="n">minTotal</span> <span class="o">=</span> <span class="o">@</span><span class="n">minTotal</span><span class="p">;</span> <span class="k">SET</span> <span class="o">@</span><span class="n">i</span> <span class="o">=</span> <span class="o">@</span><span class="n">i</span> <span class="o">+</span> <span class="mi">1</span><span class="p">;</span> <span class="k">END</span><span class="p">;</span> <span class="c1">-- 12. Cleanup note (optional)</span> <span class="c1">-- DROP PROCEDURE dbo.GetUsersByCountry;</span> <span class="c1">-- DROP PROCEDURE dbo.SearchOrders;</span> <span class="c1">-- DROP PROCEDURE dbo.AddLog;</span> <span class="c1">-- DROP TABLE dbo.Orders;</span> <span class="c1">-- DROP TABLE dbo.Users;</span> <span class="n">PRINT</span> <span class="s1">'--- Script complete ---'</span><span class="p">;</span> </code></pre> </div> <h2> Quick notes &amp; how this maps to the earlier explanation </h2> <ul> <li> <code>@param</code> is the SQL Server/T-SQL named placeholder style. Parameters are typed when declared in procedures or when passed to <code>sp_executesql</code>.</li> <li> <code>sp_executesql</code> allows safe dynamic SQL by separating SQL text from bound parameter values (compile once, pass different values).</li> <li>Stored procedures (<code>CREATE PROCEDURE</code>) accept typed parameters. Call them with <code>EXEC proc @p = value</code> (named) or <code>EXEC proc value</code> (positional).</li> <li>Unsafe concatenation (commented) demonstrates how attacker-supplied strings can change SQL structure. Use parameter binding instead.</li> <li>Repeated use of the <em>same</em> SQL text with different parameters helps plan reuse and reduces parsing/compilation overhead.</li> </ul> sqlserver database sql