3 comments

[ 5.4 ms ] story [ 19.5 ms ] thread
Very interesting. If processing a query off of user input, what mechanisms have you implemented/do you plan to implement to prevent SQL injection? If that is not within the scope of this library, what additional package(s) would you recommend using in partnership with this library to prevent SQL injection?
PgTyped doesn't include a query executor. It transforms a query and its parameters into a format of parametrized query+parameter bindings, which are then sent into a Postgres DB driver of your choice. A proper DB driver sends the query+parameter bindings pair to the DB. This means that the actual parameter substitution is done on the Postgres server and so SQL injections are prevented on the DB server side. The driver we recommend and use is node-postgres. It does support parametrized query passing.