Skip to main content
Parametrized queries allow you to write SQL statements with $1, $2, … placeholders instead of hard-coded values. The actual values are supplied separately at execution time and substituted on the server side. This approach provides two key benefits:
  • SQL injection protection – Parameter values are validated and escaped by Firebolt before being applied to the query, preventing malicious input from altering query logic.
  • Code clarity – Queries remain readable and reusable regardless of the values being substituted.

.NET SDK

Repository: firebolt-db/firebolt-net-sdk Add preparedStatementParamStyle=FbNumeric to your connection string to enable server-side parametrized queries, then use $1, $2, … as placeholders.
Supported types: bool, byte, short, int, long, float, double, decimal, string, Guid, DateTime, DateOnly, DateTimeOffset, TimeOnly, byte[], and IList (arrays). For more details, see the .NET SDK README.

Go SDK

Repository: firebolt-db/firebolt-go-sdk Pass a context with the FbNumeric style enabled when preparing or executing statements. Use $1, $2, … as placeholders.
For more details, see the Go SDK README.

JDBC driver

Repository: firebolt-db/jdbc
Documentation: Connecting with JDBC
Add preparedStatementParamStyle=FbNumeric to your JDBC connection properties to enable server-side parametrized queries, then use $1, $2, … as placeholders.
Batch execution is also supported using addBatch() and executeBatch(). Supported types: boolean, byte, short, int, long, float, double, BigDecimal, String, Date, Timestamp, byte[], and Array. For more details, see the JDBC driver documentation.

Node.js SDK

Repository: firebolt-db/firebolt-node-sdk
Documentation: Connecting with Node.js
Set preparedStatementParamStyle: 'fb_numeric' in the connection options to enable server-side parametrized queries, then use $1, $2, … as placeholders.
You can also reference parameters by name using namedParameters:
For more details, see the Node.js SDK README.

REST API

When calling the Firebolt query API directly (without an SDK), pass query_parameters as a URL query string parameter containing a JSON array that maps each $number placeholder to its value. Format:
Example:
The query_parameters value must be URL-encoded when passed as a query string. The example above shows it unencoded for readability.

Summary