SQL – Parameters
Make SQL queries safe and reusable using parameter placeholders instead of string concatenation.
Table of Contents
Parameters (also called bind variables or placeholders) let you write a query template with placeholder symbols instead of hard-coded values. The values are supplied separately, and the database driver handles proper escaping. This is the correct solution to SQL injection and also makes queries more efficient — the database can reuse the query execution plan across different parameter values.
Different database drivers use different placeholder syntax: ? in SQLite and MySQL, $1, $2... in PostgreSQL, or :name for named parameters in SQLAlchemy.
Parameter placeholders
# SQLite (Python)
cursor.execute("SELECT * FROM students WHERE city=? AND grade=?",
(city_value, grade_value))
# PostgreSQL
cursor.execute("SELECT * FROM students WHERE city=%s AND grade=%s",
(city_value, grade_value))
# Named parameters (SQLAlchemy)
cursor.execute("SELECT * FROM students WHERE city=:city",
{"city": city_value})
Try It Yourself — Interactive SQL Editor
Edit the query below and click Run Query ▶ to see live results powered by SQLite running directly in your browser.
Key Points
- Parameters prevent SQL injection by separating code from data
- Reusable as prepared statements for improved performance
- Supported by every modern database driver in every language
- Named parameters (:city) are more readable than positional (?)
Pro Tip from CodesCompiler: The best way to learn SQL is to break things intentionally — modify the query above, change the WHERE conditions, try different columns. Every error teaches you something the docs cannot.
In the next lesson, we continue exploring SQL’s powerful feature set to build your database mastery.