freeCodeCamp/guide/english/security/query-parameterization/index.md

---
title: Query Parameterization
---
## Query Parameterization

A common mistake when connecting your program to a database is to accept a user's input and apply it directly to the database without checking it first. This is a dangerous habit to get into, and you may hear more experienced developers warning others to "sanitize input" or "parameterize queries".

Let's start with a short example demonstrating the problem:

_(the following snippets are written in C# for MySQL, but the concept applies to any language and database)_

### The Problem

```csharp
public void RetrieveEmployeeInfo(string username)
{
    using (var connection = new MySqlConnection("valid_connection_string"))
    {
        var query = "SELECT * FROM EMPLOYEES WHERE USERNAME = '" + username + "'";

        using (var command = new MySqlCommand(query, connection))
        {
            var reader = command.ExecuteReader();
            while (reader.Read())
            {
                // do something with the results of your query, like display the employee
            }
        }
    }
}
```

At first glance, that might seem fairly harmless. If the user types "JDOE" into your program, and it's passed to this function, you'll end up executing a query like this:

```sql
SELECT * FROM EMPLOYEES WHERE USERNAME = 'JDOE';
```

The problem becomes more apparent when you consider what happens if the user _doesn't_ type what you expect. What if they type something like `JDOE'; DROP TABLE EMPLOYEES; --`? Your "query" string now looks like this, which will select the employee info, then delete the entire EMPLOYEES table!

```sql
SELECT * FROM EMPLOYEES WHERE USERNAME = 'JDOE'; DROP TABLE EMPLOYEES; --'
```

### The Solution

To prevent issues like this, we can parameterize our queries. Let's look at another example:

```csharp
public void RetrieveEmployeeInfo(string username)
{
    using (var connection = new MySqlConnection("valid_connection_string"))
    {
        var query = "SELECT * FROM EMPLOYEES WHERE USERNAME = @username";

        using (var command = new MySqlCommand(query, connection))
        {
            command.Parameters.AddWithValue("username", username);
                    
            var reader = command.ExecuteReader();
            while (reader.Read())
            {
                // do something with the results of your query, like display the employee
            }
        }
    }
}
```

Now what happens if the user types in `JDOE'; DROP TABLE EMPLOYEES; --`? Our program ends up executing a query like this one and, finding no employee whose username actually matches that input, simply returns no records.

```sql
SELECT * FROM EMPLOYEES WHERE USERNAME = 'JDOE\'; DROP TABLE EMPLOYEES; --'
```

No matter which language or database you're using, if you consider querying the database using user input, check the documentation for the proper way to parameterize queries.
fix: change directory structure 2018-10-12 15:37:13 -04:00			`---`
			`title: Query Parameterization`
			`---`
			`## Query Parameterization`

			`A common mistake when connecting your program to a database is to accept a user's input and apply it directly to the database without checking it first. This is a dangerous habit to get into, and you may hear more experienced developers warning others to "sanitize input" or "parameterize queries".`

			`Let's start with a short example demonstrating the problem:`

			`_(the following snippets are written in C# for MySQL, but the concept applies to any language and database)_`

			`### The Problem`

			```csharp
			`public void RetrieveEmployeeInfo(string username)`
			`{`
			`using (var connection = new MySqlConnection("valid_connection_string"))`
			`{`
			`var query = "SELECT * FROM EMPLOYEES WHERE USERNAME = '" + username + "'";`

			`using (var command = new MySqlCommand(query, connection))`
			`{`
			`var reader = command.ExecuteReader();`
			`while (reader.Read())`
			`{`
			`// do something with the results of your query, like display the employee`
			`}`
			`}`
			`}`
			`}`
			```

			`At first glance, that might seem fairly harmless. If the user types "JDOE" into your program, and it's passed to this function, you'll end up executing a query like this:`

			```sql
			`SELECT * FROM EMPLOYEES WHERE USERNAME = 'JDOE';`
			```

			The problem becomes more apparent when you consider what happens if the user _doesn't_ type what you expect. What if they type something like `JDOE'; DROP TABLE EMPLOYEES; --`? Your "query" string now looks like this, which will select the employee info, then delete the entire EMPLOYEES table!

			```sql
			`SELECT * FROM EMPLOYEES WHERE USERNAME = 'JDOE'; DROP TABLE EMPLOYEES; --'`
			```

			`### The Solution`

			`To prevent issues like this, we can parameterize our queries. Let's look at another example:`

			```csharp
			`public void RetrieveEmployeeInfo(string username)`
			`{`
			`using (var connection = new MySqlConnection("valid_connection_string"))`
			`{`
			`var query = "SELECT * FROM EMPLOYEES WHERE USERNAME = @username";`

			`using (var command = new MySqlCommand(query, connection))`
			`{`
			`command.Parameters.AddWithValue("username", username);`

			`var reader = command.ExecuteReader();`
			`while (reader.Read())`
			`{`
			`// do something with the results of your query, like display the employee`
			`}`
			`}`
			`}`
			`}`
			```

			Now what happens if the user types in `JDOE'; DROP TABLE EMPLOYEES; --`? Our program ends up executing a query like this one and, finding no employee whose username actually matches that input, simply returns no records.

			```sql
			`SELECT * FROM EMPLOYEES WHERE USERNAME = 'JDOE\'; DROP TABLE EMPLOYEES; --'`
			```

			`No matter which language or database you're using, if you consider querying the database using user input, check the documentation for the proper way to parameterize queries.`