Parameterized Queries (SQL Injection defence)¶
Always use prepared statements because it prevents SQL injection by separating code from data.
Language |
Safe Parameterisation |
---|---|
Python (SQLite) |
|
Java (JDBC) |
|
PHP (PDO) |
|
Never use¶
String concatenation (
"SELECT * FROM users WHERE id = " + user_id
).Dynamic SQL (
EXECUTE IMMEDIATE
in PL/SQL).
Last update:
2025-06-07 06:04