Docs/Core Concepts/Parameterized Queries
Core Concepts6 min read

Parameterized Queries

How conexor.io prevents SQL injection at the protocol layer — regardless of what the AI model generates.

The problem with AI-generated SQL

AI models produce text. If you let a model write arbitrary SQL and execute it against your database, you have a prompt injection vulnerability: a malicious user can craft a prompt that causes the model to emit destructive or data-exfiltrating SQL.

text
User prompt:
"Show me users named '; DROP TABLE users; --"

Naïve SQL generation:
SELECT * FROM users WHERE name = ''; DROP TABLE users; --'
                                       ^^^^^^^^^^^^^^^^ injected!
NOTEThis attack is not hypothetical. LLMs are susceptible to prompt injection, and any system that lets a model write raw SQL is vulnerable to it.

How parameterized execution works

conexor.io never lets Claude write SQL. Instead, the model calls a typed MCP tool with named parameters. The tool definition specifies the query template — the model only provides parameter values.

What the model receives (tool definition)

json
{
  "name": "query_users",
  "description": "Get users matching optional filters",
  "input_schema": {
    "type": "object",
    "properties": {
      "email": { "type": "string", "description": "Filter by email" },
      "org_id": { "type": "string", "description": "Filter by org ID" },
      "limit": { "type": "integer", "default": 50 }
    }
  }
}

What the model sends (tool call)

json
{
  "tool": "query_users",
  "parameters": {
    "email": "[email protected]",
    "limit": 10
  }
}

What executes in the database

sql
-- Template (defined by conexor.io, not the model):
SELECT * FROM users
WHERE (@email IS NULL OR email = @email)
  AND (@org_id IS NULL OR org_id = @org_id)
LIMIT @limit

-- Executed with typed parameters:
-- @email  = '[email protected]'  (string)
-- @org_id = NULL                  (null)
-- @limit  = 10                    (integer)

The parameter values are passed to the database driver as typed bind parameters — they never appear in the SQL string. Even if a value contains SQL syntax, it is treated as a string literal by the driver, not as SQL code.

Why this is structurally safe

The query template lives in conexor.io's tool registry — the model has no way to modify it. The model can only influence the parameter values. Since parameters are typed and bound separately from the SQL string, there is no mechanism by which a parameter value can alter query structure.

Model controlsModel cannot control
  • Parameter values
  • Which tool to call
  • How many results to request
  • Query template / SQL structure
  • Tables accessed
  • Whether to use SELECT, INSERT, UPDATE, DELETE
  • JOIN conditions

Legacy: string-substituted queries

Early versions of conexor.io used string substitution for parameters — values were interpolated directly into the SQL template. This approach has been deprecated and is kept only for backward compatibility with older agents.

NOTEIf your agent is on version 1.2 or earlier, you may still be using string-substituted queries. Upgrade to v1.3+ and re-sync your schema to switch to parameterized execution.

You can check which mode is active on the data source detail page. The Execution Mode field shows either Parameterized (safe) or Legacy (upgrade recommended).

Schema DiscoveryAudit Logging

© 2026 conexor.io

All systems operational
Relay

Quick questions

Relay

Quick questions