Query Parameters are a good way to avoid SQL Injection and use the same prepared query with different values in value place holders (parameters).
In the SQL Editor, you can test queries with parameters by using value place holder names with a colon, eg: :customerid
The below query has such a parameter:
select * from CUSTOMERS where custid > :cid |
To execute this query in the SQL Editor, you first need to prepare it. If possible the correct data type for the :cid parameter will be fetched from the DBMS.
SQL Editor Toolbar with Prepare button highlighted
If you don't explicitly prepare while there are parameters in the SQL statement, Database Workbench will prepare it for you. In both case, the Parameters tab will be shown.
 |
| SQL Editor with Parameters tab active |
On the Parameters tab you can enter values for each parameter, or NULL. Adjust the data type to be the correct data type for the parameter if not yet automatically selected.
There's also the Parameter History: previously entered parameter values. By clicking on a row in the history, it will select those values for the parameters, including NULL and data type.
After entering values or assigning NULL, you can execute the prepared query and the values will be bound to the parameters. A new entry will be added to the history.