What is SQL injection and how do parameterized queries prevent it?

SQL injection happens when user input is treated as SQL code rather than as data. If you build a query by concatenating strings with user input, a malicious input could alter the query’s structure and do things you didn’t intend, like exposing data or modifying it. Parameterized queries define the SQL with placeholders and then supply the actual values separately, so the database treats those values strictly as data. The result is that even crafted input can’t change the command’s meaning because the code and the data are kept separate. For example, a vulnerable string-constructed query might allow special input to modify the WHERE clause, whereas a parameterized version keeps the input as a literal value. This approach protects against injection while still letting you pass the necessary data to the query; other options describe performance or compilation aspects that don’t address how input is safely handled.