T-SQL Tutorial

How to use parameters in SQL query


This article shows you how to use parameters in an SQL Query using the T-SQL language. In SQL Server, parameters are placeholders in a SQL query that allow you to pass values into a query dynamically. Parameters are used to make your SQL queries more flexible, secure, and efficient by allowing you to reuse the same query with different input values. They are commonly used in various SQL operations, such as SELECT, INSERT, UPDATE, DELETE, and stored procedures. Parameters can be used in different parts of an SQL statement, such as the WHERE clause, JOIN conditions, or the ORDER BY clause.

Here's how you can use parameters in SQL Server:


Declaring Parameters

You can declare parameters using the DECLARE statement in SQL Server, or you can define parameters in a stored procedure or a prepared SQL statement. Here's an example of declaring a parameter in a stored procedure:

CREATE PROCEDURE GetEmployeeByID
@EmployeeID INT
AS
BEGIN
-- SQL query using the parameter
SELECT * FROM Employees WHERE EmployeeID = @EmployeeID;
END;

In this example, @EmployeeID is a parameter that allows you to pass an integer value to the stored procedure.


Using Parameters in Queries

To use parameters in your SQL queries, you can reference them with the @ symbol followed by the parameter name. For example:

DECLARE @EmployeeID INT;
SET @EmployeeID = 1001;

SELECT * FROM Employees
WHERE EmployeeID = @EmployeeID;

In this example, @EmployeeID is used in the WHERE clause to filter the results.


Executing Queries with Parameters

When executing SQL queries with parameters in SQL Server, you can pass values to those parameters using various methods. Here's an example using sp_executesql:

DECLARE @EmployeeID INT;
SET @EmployeeID = 2;

EXEC sp_executesql
N'SELECT * FROM EMPLOYEES
WHERE EmployeeID = @EmployeeID',
N'@EmployeeID INT',
@EmployeeID;

In this case, sp_executesql is used to execute the query with the parameter @EmployeeID.


Benefits of using parameters in SQL queries

Security: Using parameters helps protect your database from SQL injection attacks by ensuring that input values are properly sanitized.

Performance: SQL Server can optimize query execution plans when parameters are used, resulting in better performance, as the query plan can be cached and reused with different parameter values.

Reusability: Queries with parameters are more versatile and can be reused with different input values, reducing the need for writing multiple similar queries.

Maintainability: Parameterized queries are easier to read and maintain because they separate the SQL code from the input values.

Data Type Handling: Parameters ensure that data types are handled correctly. SQL Server automatically converts parameter values to the appropriate data type, preventing type conversion errors and ensuring data integrity.

Debugging and Testing: Parameterized queries simplify debugging and testing. You can easily log or display parameter values to troubleshoot issues, and testing different scenarios becomes more manageable by changing the parameter values.

In summary, parameters in SQL Server are placeholders that allow you to pass values into SQL queries dynamically, making your queries more secure, efficient, and flexible. They are commonly used in stored procedures, dynamic SQL statements, and other SQL operations.