Skip to content

SQL Tag

Christoph Herrmann edited this page Oct 17, 2019 · 2 revisions

Alternatively to sql.query() also the client.query() of pg can be used. The downside is the missing check the given parameter is a SQL tagged template literal. A missing SQL tag can open the doors for SQL injection.

Extract and bind values

const email = 'email'
const name = 'name'

const result = await sql.query(sql`
  SELECT * FROM users WHERE email = ${email} AND name = ${name}
`)

// text: SELECT * FROM users WHERE email = $1 AND name = $2
// values: ['email', 'name']
Clone this wiki locally