Parameterized queries are key to preventing SQL injection in any SQL including MariaDB. However, in MariaDB (and MySQL), the parameterization itself is handled at the level of the client application, not in SQL syntax directly.
Parameterized queries are also a lot faster when executed inside a loop many times, as the server only parses the SQL once.
Here is a sample code using PHP of a parameterized query with MariaDB.
Code: Select all | Expand
$mysqli = new mysqli("localhost", "user", "password", "database");
$stmt = $mysqli->prepare("SELECT * FROM users WHERE username = ?");
$stmt->bind_param("s", $username); // 's' means string
$username = "rcrespo";
$stmt->execute();
$result = $stmt->get_result();
while ($row = $result->fetch_assoc()) {
print_r($row);
}Thank you.
