The SQL Named Parameters
Structured query language, or SQL, works with named parameters, so you can pass data back and forth between your desktop and Web applications. These parameters also protect from SQL injection, which is a hack that passes SQL code to the database in an effort to steal data from the tables.
Other People Are Reading
-
Purpose
-
Named parameters give a label to each variable you use in a SQL stored procedure. You use these names to pass the parameter information from a website or desktop application. The information is then inserted into a table, or you can use the information to update current information in a database table.
Clients
-
Named parameters are for Web and desktop applications. You use the PHP or Java language to pass parameters to the stored procedures with the named parameters. Java is typically a desktop language, and you use the JDBC drivers to connect to the database. PHP is used in Web applications, and the language has internal libraries that connect to the database and allow you to use named parameters.
-
Security
-
When you pass values to a named parameter, any tick marks or other SQL characters are changed to literals. This means that the stored procedure does not use the tick mark to terminate a string, so the reader cannot cause errors in your database application, and hackers cannot use the special characters to hack your database information.
Considerations
-
To use named parameters, you must pass the same names from the client application. If you do not, you risk sending the wrong information to the database, which can ruin your database table data. You can also specify default values, so if you do not pass the data from the client, the database uses the default value.
-
