It's pronounced Diane. I do data architecture, operations, and backend development. In my spare time I maintain Massive.js, a data mapper for Node.js and PostgreSQL.
You can, but using template literals to interpolate query parameters like you're suggesting opens you up to SQL injection attacks. If the id value is passed from somewhere the user can modify it, someone could supply a value like 3; DROP TABLE users CASCADE; and the driver would happily execute it.
Interpolation like that is also more difficult with strings because of the quoting rules, so it's really never worth it. Prepared statements with $n placeholders are easier and safer.
For Postgres+Node specifically, pg-promise lets you use named parameters and dynamic SQL with prepared statements, which might be worth checking out if you want to avoid having to count params.
You can, but using template literals to interpolate query parameters like you're suggesting opens you up to SQL injection attacks. If the
id
value is passed from somewhere the user can modify it, someone could supply a value like3; DROP TABLE users CASCADE;
and the driver would happily execute it.Interpolation like that is also more difficult with strings because of the quoting rules, so it's really never worth it. Prepared statements with
$n
placeholders are easier and safer.For Postgres+Node specifically, pg-promise lets you use named parameters and dynamic SQL with prepared statements, which might be worth checking out if you want to avoid having to count params.
Thanks dian