What is the purpose of parameterized queries in SQL?

Parameterized queries separate the SQL code from the data being supplied, using placeholders and bound values. The database first prepares the statement with placeholders, then the actual values are sent separately and attached to those placeholders. Because the input is treated strictly as data and not part of the SQL command’s structure, user-provided values cannot alter how the query is executed. This prevents SQL injection attacks, where crafted input tries to modify the query to do something malicious. For example, a login check like selecting a user by name uses a placeholder for the name; even if someone enters something with SQL syntax, it’s handled as a data value rather than executable code. In contrast, other options refer to encryption, database migrations, or transmitting query results securely, which do not address how to keep SQL statements safe from injection.