A database query where user input is passed as separate data instead of being mixed into the SQL text. This is how your ORM blocks SQL injection by default, under the hood.