DEV Community

Discussion on: Persisting a Node API with PostgreSQL, without the help of ORM's like sequelize.

Collapse
 
dmfay profile image
Dian Fay

You can, but using template literals to interpolate query parameters like you're suggesting opens you up to SQL injection attacks. If the id value is passed from somewhere the user can modify it, someone could supply a value like 3; DROP TABLE users CASCADE; and the driver would happily execute it.

Interpolation like that is also more difficult with strings because of the quoting rules, so it's really never worth it. Prepared statements with $n placeholders are easier and safer.

For Postgres+Node specifically, pg-promise lets you use named parameters and dynamic SQL with prepared statements, which might be worth checking out if you want to avoid having to count params.

Collapse
 
ogwurujohnson profile image
Johnson Ogwuru

Thanks dian