Many developers are aware of the dangers of SQL injection and that using parameters to pass information to SQL queries can prevent SQL injection. However, not all operations requested from the database can be parameterized. Metadata queries, for example, often take filters to restrict the metadata information returned to a specific database, schema, or table. Depending on the database, the query used to get the metadata information might not allow filter information to be passed as a parameter. If an application gets filter information from the end user, the value should be validated to ensure it does not contain malicious values. In general, an application should validate any value from the user that is passed to the driver that is not a parameter to a prepared statement.

For additional information on protecting against SQL injection attacks, see "Validate connection option values" in "Secure connection option settings."