- Notifications
You must be signed in to change notification settings - Fork 0
SQL Tag
Christoph Herrmann edited this page Oct 17, 2019 · 2 revisions
Alternatively to sql.query() also the client.query() of pg can be used. The downside is the missing check the given parameter is a SQL tagged template literal. A missing SQL tag can open the doors for SQL injection.
const email = 'email' const name = 'name' const result = await sql.query(sql` SELECT * FROM users WHERE email = ${email} AND name = ${name} `) // text: SELECT * FROM users WHERE email = $1 AND name = $2 // values: ['email', 'name']Found a bug or missing a feature? -> Create a new Issue
Found a security issue? -> Look at the Security Policy
Having questions, want to give feedback or talk to me? -> E-Mail me sql-pg@sharaal.de