// use prepared statement to prevent SQL injection

$preparedStatement = $dbConnection->prepare('SELECT * FROM animals WHERE name = ?');

$preparedStatement->bind_param('s', $name); 

$preparedStatement->execute();

$result = $preparedStatement->get_result();

while ($row = $result->fetch_assoc()) {

// Process $row

}

​

// This should REALLY be validated too

String custname = request.getParameter("customerName");

// Perform input validation to detect attacks

String query = "SELECT account_balance FROM user_data WHERE user_name = ? ";

PreparedStatement pstmt = connection.prepareStatement( query );

pstmt.setString( 1, custname);

ResultSet results = pstmt.executeQuery( );

​

private static void UpdateDemographics(Int32 customerID,

    string demoXml, string connectionString)

{

    // Update the demographics for a store, which is stored  

    // in an xml column.  

    string commandText = "UPDATE Sales.Store SET Demographics = @demographics "

        + "WHERE CustomerID = @ID;";

​

    using (SqlConnection connection = new SqlConnection(connectionString))

    {

        SqlCommand command = new SqlCommand(commandText, connection);

        command.Parameters.Add("@ID", SqlDbType.Int);

        command.Parameters["@ID"].Value = customerID;

​

        // Use AddWithValue to assign Demographics. 

        // SQL Server will implicitly convert strings into XML.

        command.Parameters.AddWithValue("@demographics", demoXml);

​

        try

        {

            connection.Open();

            Int32 rowsAffected = command.ExecuteNonQuery();

            Console.WriteLine("RowsAffected: {0}", rowsAffected);

        }

        catch (Exception ex)

        {

            Console.WriteLine(ex.Message);

        }

    }

}