re: Persisting a Node API with PostgreSQL, without the help of ORM's like sequelize. VIEW POST

VIEW PARENT COMMENT VIEW FULL DISCUSSION
 

You can, but using template literals to interpolate query parameters like you're suggesting opens you up to SQL injection attacks. If the id value is passed from somewhere the user can modify it, someone could supply a value like 3; DROP TABLE users CASCADE; and the driver would happily execute it.

Interpolation like that is also more difficult with strings because of the quoting rules, so it's really never worth it. Prepared statements with $n placeholders are easier and safer.

For Postgres+Node specifically, pg-promise lets you use named parameters and dynamic SQL with prepared statements, which might be worth checking out if you want to avoid having to count params.

 
code of conduct - report abuse