What does a question mark represent in SQL queries?

Question

While going through some SQL books I found that examples tend to use question marks (?) in their queries. What does it represent?

I guess it is variables in prepared statements, but you should post that particular query to be sure. — kennytm, Sep 16 '10 at 14:33

score 131 · Answer 1 · edited Oct 04 '11 at 23:15

What you are seeing is a parameterized query. They are frequently used when executing dynamic SQL from a program.

For example, instead of writing this (note: pseudocode):

ODBCCommand cmd = new ODBCCommand("SELECT thingA FROM tableA WHERE thingB = 7")
result = cmd.Execute()

You write this:

ODBCCommand cmd = new ODBCCommand("SELECT thingA FROM tableA WHERE thingB = ?")
cmd.Parameters.Add(7)
result = cmd.Execute()

This has many advantages, as is probably obvious. One of the most important: the library functions which parse your parameters are clever, and ensure that strings are escaped properly. For example, if you write this:

string s = getStudentName()
cmd.CommandText = "SELECT * FROM students WHERE (name = '" + s + "')"
cmd.Execute()

What happens when the user enters this?

Robert'); DROP TABLE students; --

(Answer is here)

Write this instead:

s = getStudentName()
cmd.CommandText = "SELECT * FROM students WHERE name = ?"
cmd.Parameters.Add(s)
cmd.Execute()

Then the library will sanitize the input, producing this:

"SELECT * FROM students where name = 'Robert''); DROP TABLE students; --'"

Not all DBMS's use ?. MS SQL uses named parameters, which I consider a huge improvement:

cmd.Text = "SELECT thingA FROM tableA WHERE thingB = @varname"
cmd.Parameters.AddWithValue("@varname", 7)
result = cmd.Execute()

score 22 · Answer 2 · answered Sep 16 '10 at 14:32

22

The ? is an unnamed parameter which can be filled in by a program running the query to avoid SQL injection.

answered Sep 16 '10 at 14:32

SLaks

868,454
176
1,908
1,964

1

Can you provide an example of this? – Brad Sep 16 '10 at 14:41

score 8 · Answer 3 · edited Sep 17 '22 at 12:34

8

The ? is to allow Parameterized Query. These parameterized query is to allow type-specific value when replacing the ? with their respective value.

That's all to it.

There are several reasons why it's good practice to use Parameterized Queries. In essence, it's easier to read and debug, and circumvents SQL injection attacks.

edited Sep 17 '22 at 12:34

Peterino

15,097
3
28
29

answered Sep 16 '10 at 14:47

Buhake Sindi

87,898
29
167
228

score 2 · Answer 4 · answered Sep 16 '10 at 14:33

2

It's a parameter. You can specify it when executing query.

answered Sep 16 '10 at 14:33

amorfis

15,390
15
77
125

score 2 · Answer 5 · answered Sep 16 '10 at 14:33

2

I don't think that has any meaning in SQL. You might be looking at Prepared Statements in JDBC or something. In that case, the question marks are placeholders for parameters to the statement.

answered Sep 16 '10 at 14:33

vicatcu

5,407
7
41
65

score 1 · Answer 6 · answered Sep 16 '10 at 14:32

1

It normally represents a parameter to be supplied by client.

answered Sep 16 '10 at 14:32

Jens Schauder

77,657
34
181
348

What does a question mark represent in SQL queries?

6 Answers6

Linked

Related