Parameterized Queries
Prevent SQL injection.
The Danger of String Building
Building SQL by concatenating strings is risky. If user input contains SQL, it can change your query. This is called SQL injection.
Never do this with untrusted data.
name = 'Alice'
# Unsafe pattern - do NOT do this
query = "SELECT * FROM users WHERE name = '" + name + "'"
print(query)What Injection Looks Like
Imagine a malicious value. Concatenating it changes the query meaning entirely.
name = "x' OR '1'='1"
query = "SELECT * FROM users WHERE name = '" + name + "'"
print(query)
print('The OR clause makes every row match!')