Skip to content
This repository has been archived by the owner on Jul 2, 2021. It is now read-only.

Question: Sanitisation #4

Closed
ebebbington opened this issue Jun 21, 2020 · 2 comments
Closed

Question: Sanitisation #4

ebebbington opened this issue Jun 21, 2020 · 2 comments

Comments

@ebebbington
Copy link

Is sanitisation in place under the hood, or is it down to the developer the sanitise the input themselves?
@ebebbington ebebbington mentioned this issue Jun 21, 2020
Closed
@jakajancar
Copy link
Owner

If you use placeholders in queries ($1, $2, ...) and pass the values as the second argument to ‘query()’, you do not need to do (and should not do) any escaping. The values are encoded and sent to the server separately from the query.

If you were to insert the values directly into the query, you would need to escape them yourself as per postgres' syntax. But I don't know why you would want to do that.

@ebebbington
Copy link
Author

Ok cool, thanks for answering :) Though it feels it isn't directly mentioned, I think it would be a good point to be though as like you said, no one really wants to run queries without escaping, and it takes the load of the developer :)

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@jakajancar @ebebbington