Skip to content
This repository has been archived by the owner on Nov 9, 2021. It is now read-only.

Add support for parameterized queries #32

Closed
abrkn opened this issue Aug 16, 2013 · 5 comments
Closed

Add support for parameterized queries #32

abrkn opened this issue Aug 16, 2013 · 5 comments

Comments

@abrkn
Copy link

abrkn commented Aug 16, 2013

No amount of escaping will safe you from SQL injection attacks. Queries must be parameterized.

http://www.codinghorror.com/blog/2005/04/give-me-parameterized-sql-or-give-me-death.html
@mtsr
Copy link
Contributor

mtsr commented Aug 23, 2013

I just added pull request #34 for this functionality (initially compatible with node-postgres).

@hiddentao
Copy link
Owner

Squel does support parameterized queries, using the usingValuePlaceholders option, see in http://hiddentao.github.io/squel/#update

I think I need to add a top-level section to the docs for parameterized queries to make this clearer to people.

@mtsr
Copy link
Contributor

mtsr commented Aug 24, 2013

Well sure, you can do this:

var query = squel.update()
  .table("students")
  .set("name", "$1")
  .set("gender", "$2")
  .toString();

// node-postgres client
client.query({ text: query, values: ['Thomas', 'M'] });

But using my pull request you can do

var query = squel.update()
  .table("students")
  .set("name", "Thomas")
  .set("gender", "M")
  .toParam();

// node-postgres client
client.query(query);

which is much easier to read and maintain.

@abrkn
Copy link
Author

abrkn commented Aug 26, 2013

👍

@hiddentao
Copy link
Owner

Version 2.0.0 now has the toParam() method included from #34

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@hiddentao @abrkn @mtsr