-
Notifications
You must be signed in to change notification settings - Fork 0
SQL Tag
Christoph Herrmann edited this page Oct 17, 2019
·
2 revisions
Alternatively to sql.query()
also the client.query()
of pg
can be used. The downside is the missing check the given parameter is a SQL tagged template literal. A missing SQL tag can open the doors for SQL injection.
const email = 'email'
const name = 'name'
const result = await sql.query(sql`
SELECT * FROM users WHERE email = ${email} AND name = ${name}
`)
// text: SELECT * FROM users WHERE email = $1 AND name = $2
// values: ['email', 'name']
Found a bug or missing a feature? -> Create a new Issue
Found a security issue? -> Look at the Security Policy
Having questions, want to give feedback or talk to me? -> E-Mail me [email protected]