[{"data":1,"prerenderedAt":401},["ShallowReactive",2],{"blog-prompts/parameterize-queries":3},{"id":4,"title":5,"body":6,"category":380,"date":381,"dateModified":382,"description":383,"draft":384,"extension":385,"faq":386,"featured":384,"headerVariant":387,"image":386,"keywords":386,"meta":388,"navigation":389,"ogDescription":390,"ogTitle":386,"path":391,"readTime":386,"schemaOrg":392,"schemaType":393,"seo":394,"sitemap":395,"stem":396,"tags":397,"twitterCard":399,"__hash__":400},"blog/blog/prompts/parameterize-queries.md","Parameterize Database Queries with AI Prompts",{"type":7,"value":8,"toc":370},"minimark",[9,16,21,24,86,90,93,151,155,158,215,225,229,232,291,300,316,320,323,344,358],[10,11,12],"tldr",{},[13,14,15],"p",{},"Parameterized queries separate SQL code from data, making injection impossible. These prompts help you convert string concatenation patterns to prepared statements in JavaScript, Python, PHP, and other languages. Use your database library's parameterization syntax.",[17,18,20],"h2",{"id":19},"javascriptnodejs-parameterization","JavaScript/Node.js Parameterization",[13,22,23],{},"Use this prompt to convert unsafe string-concatenation queries in your Node.js code to parameterized statements. Your AI will identify every vulnerable query and rewrite it using the correct placeholder syntax for your specific database library (pg, mysql2, or better-sqlite3).",[25,26,28,31,38,41,54,57,69,72],"prompt-box",{"title":27},"Node.js Query Conversion",[13,29,30],{},"Convert these Node.js database queries to use parameterization.",[13,32,33,34],{},"Database library: ",[35,36,37],"span",{},"pg/mysql2/better-sqlite3",[13,39,40],{},"Find all queries using string concatenation or template literals:",[42,43,44,48,51],"ul",{},[45,46,47],"li",{},"`SELECT * FROM users WHERE id = ${id}`",[45,49,50],{},"\"SELECT * FROM posts WHERE title = '\" + title + \"'\"",[45,52,53],{},"query(\"DELETE FROM items WHERE id = \" + req.params.id)",[13,55,56],{},"Convert each to:",[58,59,60,63,66],"ol",{},[45,61,62],{},"Parameterized syntax for my specific library",[45,64,65],{},"Show the values array passed separately",[45,67,68],{},"Keep the same query logic, just make it safe",[13,70,71],{},"Library-specific examples needed:",[42,73,74,77,80],{},[45,75,76],{},"pg: $1, $2 placeholders with values array",[45,78,79],{},"mysql2: ? placeholders",[45,81,82,83],{},"better-sqlite3: ? or named ",[84,85],"params",{},[17,87,89],{"id":88},"python-parameterization","Python Parameterization",[13,91,92],{},"Copy this prompt to find and convert unsafe Python database queries to properly parameterized statements. You'll get before-and-after examples for your specific library (psycopg2, sqlite3, or SQLAlchemy) with explanations of why each original was vulnerable.",[25,94,96,99,105,108,119,122,137,140],{"title":95},"Python Query Conversion",[13,97,98],{},"Convert Python database queries to parameterized statements.",[13,100,101,102],{},"Library: ",[35,103,104],{},"psycopg2/mysql-connector/sqlite3/SQLAlchemy",[13,106,107],{},"Find unsafe patterns:",[42,109,110,113,116],{},[45,111,112],{},"f\"SELECT * FROM users WHERE email = '{email}'\"",[45,114,115],{},"\"SELECT * FROM posts WHERE id = %s\" % post_id",[45,117,118],{},"cursor.execute(\"DELETE FROM items WHERE id = \" + str(item_id))",[13,120,121],{},"Convert to proper parameterization:",[42,123,124,127,130],{},[45,125,126],{},"psycopg2: %s placeholders with tuple",[45,128,129],{},"sqlite3: ? placeholders with tuple",[45,131,132,133,136],{},"SQLAlchemy: Use text() with ",[134,135],"named",{}," params or ORM methods",[13,138,139],{},"For each conversion, show:",[58,141,142,145,148],{},[45,143,144],{},"The unsafe original",[45,146,147],{},"The safe parameterized version",[45,149,150],{},"Why the original was vulnerable",[17,152,154],{"id":153},"orm-query-safety","ORM Query Safety",[13,156,157],{},"This prompt asks your AI to find raw query bypasses hiding inside your ORM code. You'll get safe rewrites using either the ORM's parameterized raw query syntax or its query builder, for Prisma, Sequelize, TypeORM, or Django ORM.",[25,159,161,164,170,173,184,187,198,201],{"title":160},"Fix Unsafe ORM Usage",[13,162,163],{},"Find and fix unsafe raw queries within my ORM code.",[13,165,166,167],{},"ORM: ",[35,168,169],{},"Prisma/Sequelize/TypeORM/Django ORM/SQLAlchemy",[13,171,172],{},"Even with an ORM, I might have unsafe patterns:",[42,174,175,178,181],{},[45,176,177],{},"Raw query methods with string interpolation",[45,179,180],{},"Bypassing the ORM for complex queries",[45,182,183],{},"Using .extra() or raw() incorrectly",[13,185,186],{},"For each issue found:",[58,188,189,192,195],{},[45,190,191],{},"Convert to use ORM's safe raw query syntax",[45,193,194],{},"Or rewrite using the ORM's query builder",[45,196,197],{},"Show both options when possible",[13,199,200],{},"Examples to check:",[42,202,203,206,209,212],{},[45,204,205],{},"Prisma: $queryRaw with template strings (safe) vs concatenation (unsafe)",[45,207,208],{},"Sequelize: sequelize.query() with replacements",[45,210,211],{},"TypeORM: Raw() with parameters",[45,213,214],{},"Django: .raw() and .extra() usage",[216,217,218],"warning-box",{},[13,219,220,224],{},[221,222,223],"strong",{},"Template literals aren't always safe:"," In Prisma, $queryRaw with tagged template literals is safe, but $queryRawUnsafe with string concatenation is not. Know the difference in your ORM.",[17,226,228],{"id":227},"bulk-operations","Bulk Operations",[13,230,231],{},"Use this prompt to safely parameterize bulk INSERT, UPDATE, and DELETE operations. Your AI will replace unsafe string-joined VALUES and IN clauses with properly parameterized versions for PostgreSQL, MySQL, or any generic database.",[25,233,235,238,241,252,255,263,266,277,280],{"title":234},"Safe Bulk Queries",[13,236,237],{},"Help me parameterize bulk database operations safely.",[13,239,240],{},"Scenarios:",[58,242,243,246,249],{},[45,244,245],{},"INSERT multiple rows at once",[45,247,248],{},"UPDATE with dynamic WHERE IN clause",[45,250,251],{},"DELETE multiple items by ID list",[13,253,254],{},"Current unsafe approach:",[42,256,257,260],{},[45,258,259],{},"Building VALUES string: \"('\" + values.join(\"'),('\") + \"')\"",[45,261,262],{},"Building IN clause: \"WHERE id IN (\" + ids.join(\",\") + \")\"",[13,264,265],{},"Convert to safe versions:",[58,267,268,271,274],{},[45,269,270],{},"Use proper multi-row INSERT syntax with parameters",[45,272,273],{},"Use array parameters for IN clauses where supported",[45,275,276],{},"Generate correct number of placeholders dynamically",[13,278,279],{},"Show solutions for:",[42,281,282,285,288],{},[45,283,284],{},"PostgreSQL (ANY($1) syntax)",[45,286,287],{},"MySQL (multiple ? placeholders)",[45,289,290],{},"Generic approach for any database",[292,293,294],"tip-box",{},[13,295,296,299],{},[221,297,298],{},"Pro tip:"," For IN clauses with many items, some databases support array parameters (PostgreSQL's ANY) which are cleaner than generating multiple placeholders.",[301,302,303,310],"faq-section",{},[304,305,307],"faq-item",{"question":306},"Can I parameterize table or column names?",[13,308,309],{},"No. Parameters only work for values, not identifiers. For dynamic table/column names, use a whitelist approach where you map user input to predefined allowed names.",[304,311,313],{"question":312},"Is there a performance difference with parameterized queries?",[13,314,315],{},"Parameterized queries can actually be faster because the database can cache the query plan and reuse it. The difference is usually negligible either way.",[17,317,319],{"id":318},"further-reading","Further Reading",[13,321,322],{},"Want to understand the vulnerability before fixing it? These guides explain what's happening and why.",[42,324,325,332,338],{},[45,326,327],{},[328,329,331],"a",{"href":330},"/blog/vulnerabilities/exposed-api-keys","Understanding exposed API keys",[45,333,334],{},[328,335,337],{"href":336},"/blog/how-to/hide-api-keys","How to hide API keys step-by-step",[45,339,340],{},[328,341,343],{"href":342},"/blog/best-practices/secrets","Secret management best practices",[345,346,347,353],"related-articles",{},[348,349],"related-card",{"description":350,"href":351,"title":352},"Complete SQL injection guide","/blog/prompts/fix-sql-injection","Fix SQL Injection",[348,354],{"description":355,"href":356,"title":357},"Validate before querying","/blog/prompts/database-input-validation","Database Input Validation",[359,360,363,367],"cta-box",{"href":361,"label":362},"/","Start Free Scan",[17,364,366],{"id":365},"find-unparameterized-queries","Find Unparameterized Queries",[13,368,369],{},"Scan your codebase for SQL injection vulnerabilities automatically.",{"title":371,"searchDepth":372,"depth":372,"links":373},"",2,[374,375,376,377,378,379],{"id":19,"depth":372,"text":20},{"id":88,"depth":372,"text":89},{"id":153,"depth":372,"text":154},{"id":227,"depth":372,"text":228},{"id":318,"depth":372,"text":319},{"id":365,"depth":372,"text":366},"prompts","2026-02-20","2026-03-06","AI prompts to convert string concatenation to parameterized queries. Prevent SQL injection by using prepared statements in any language or framework.",false,"md",null,"cyan",{},true,"AI prompts to convert unsafe queries to parameterized statements.","/blog/prompts/parameterize-queries","[object Object]","BlogPosting",{"title":5,"description":383},{"loc":391},"blog/prompts/parameterize-queries",[398],"Database","summary_large_image","Kzy03VClV9ibGG-anSRbXGp1GqZ4qmnBRzwh2Hrtf4Y",1775843938483]