SyntaxFix

[sql] What does a question mark represent in SQL queries?

While going through some SQL books I found that examples tend to use question marks (?) in their queries. What does it represent?

This question is related to sql prepared-statement

The answer is

I don't think that has any meaning in SQL. You might be looking at Prepared Statements in JDBC or something. In that case, the question marks are placeholders for parameters to the statement.

What you are seeing is a parameterized query. They are frequently used when executing dynamic SQL from a program.

For example, instead of writing this (note: pseudocode):

ODBCCommand cmd = new ODBCCommand("SELECT thingA FROM tableA WHERE thingB = 7")
result = cmd.Execute()

You write this:

ODBCCommand cmd = new ODBCCommand("SELECT thingA FROM tableA WHERE thingB = ?")
cmd.Parameters.Add(7)
result = cmd.Execute()

This has many advantages, as is probably obvious. One of the most important: the library functions which parse your parameters are clever, and ensure that strings are escaped properly. For example, if you write this:

string s = getStudentName()
cmd.CommandText = "SELECT * FROM students WHERE (name = '" + s + "')"
cmd.Execute()

What happens when the user enters this?

Robert'); DROP TABLE students; --

(Answer is here)

Write this instead:

s = getStudentName()
cmd.CommandText = "SELECT * FROM students WHERE name = ?"
cmd.Parameters.Add(s)
cmd.Execute()

Then the library will sanitize the input, producing this:

"SELECT * FROM students where name = 'Robert''); DROP TABLE students; --'"

Not all DBMS's use ?. MS SQL uses named parameters, which I consider a huge improvement:

cmd.Text = "SELECT thingA FROM tableA WHERE thingB = @varname"
cmd.Parameters.AddWithValue("@varname", 7)
result = cmd.Execute()

It normally represents a parameter to be supplied by client.

The ? is to allow Parameterized Query. These parameterized query is to allow type-specific value when replacing the ? with their respective value.

That's all to it.

Here's a reason of why it's better to use Parameterized Query. Basically, it's easier to read and debug.

The ? is an unnamed parameter which can be filled in by a program running the query to avoid SQL injection.

It's a parameter. You can specify it when executing query.

Source: Stackoverflow.com

Examples related to sql

Passing multiple values for same variable in stored procedure SQL permissions for roles Generic XSLT Search and Replace template Access And/Or exclusions Pyspark: Filter dataframe based on multiple conditions Subtracting 1 day from a timestamp date PYODBC--Data source name not found and no default driver specified select rows in sql with latest date for each ID repeated multiple times ALTER TABLE DROP COLUMN failed because one or more objects access this column Create Local SQL Server database

Examples related to prepared-statement

Using setDate in PreparedStatement How to use an arraylist as a prepared statement parameter Where's my invalid character (ORA-00911) How can prepared statements protect from SQL injection attacks? Using "like" wildcard in prepared statement What does "if (rs.next())" mean? Java: Insert multiple rows into MySQL with PreparedStatement What does a question mark represent in SQL queries? PreparedStatement with list of parameters in a IN clause Using prepared statements with JDBCTemplate

Tags

Numeric-keypad Checkstyle Virtual-machine Openxls Winforms-interop Customvalidator Decrement Apk Pkcs#8 Fclose Target-action Custom-tag Synchronized Dependency-injection Validate-request Silverlight-embedded Typed-dataset Sqlbuilder Etch Lso Triangle-count Controlfile Openfeint Line-of-business-app Mel Datecreated Dotty Httpresponse Aubio External-accessory Siteminder Cpu-architecture Relative-date Quaternions Hobby-os Istream-iterator Nscalendar Ranking Annotations Sieve-of-eratosthenes System-monitoring Iocp Fcgid Applicationpage Interpretation Sam Rfc5322 Redhat Telerik Computer-vision Forward-reference Package Openstep Input-history Local Armadillo Mockolate Variable-expansion Auto-lock Algol Browsable Page-layout Push-notification Accelerator Hyde Truecrypt Po Args Aidl Instance-eval Adldap Formish Hdd Concurrentmodification Image-segmentation Explicit Fancybox Liferay Sca Shtml System.web.mail Viewexpiredexception Image-formats Hibernate-session Tadodataset Spoken-language Newenvironment Icann Loginview Jqtouch Isabout Getfeatureinfo Thickness Piano Ajax4jsf Editmodel Nssearchfield Cfrunloop Finalcut Entity-framework-ctp5