What Does Parameterized Query Mean?
A parameterized query is a type of SQL query that requires at least one parameter for execution. A placeholder is normally substituted for the parameter in the SQL query. The parameter is then passed to the query in a separate statement.
Techopedia Explains Parameterized Query
One major reason for using parameterized queries is that they make queries more readable. The second and most compelling reason is that parameterized queries help to protect the database from SQL injection attacks.
The following is an example of an ADO.NET parameterized query:
SELECT LastName FROM Contacts WHERE ContactID = @ContactID;
@ContactID is the parameter for this query, which might be defined in a subsequent statement similar to the following:
command.Parameters.Add(new SqlParameter("@ContactID", theContactID));