Parameterized SQL statements are an easy way to avoid [[wp:SQL injection|SQL injection]] attacks. SQL drivers and libraries will automatically "sanitize" input to parameterized SQL statements to avoid these catastrophic database attacks. Second, parameterized SQL performs better. A lot better.

Using a SQL update statement like this one (spacing is optional):
<syntaxhighlight lang="sql">UPDATE players
   SET name = 'Smith, Steve', score = 42, active = true
   WHERE jerseyNum = 99</syntaxhighlight>show how to make a parameterized SQL statement, set the parameters to the values given above, and execute the statement.

<blockquote cite="http://blog.codinghorror.com/give-me-parameterized-sql-or-give-me-death/">Non-parameterized SQL is the GoTo statement of database programming. Don't do it, and make sure your coworkers don't either.</blockquote>