You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
{{ message }}
This repository has been archived by the owner on Jul 2, 2021. It is now read-only.
If you use placeholders in queries ($1, $2, ...) and pass the values as the second argument to ‘query()’, you do not need to do (and should not do) any escaping. The values are encoded and sent to the server separately from the query.
If you were to insert the values directly into the query, you would need to escape them yourself as per postgres' syntax. But I don't know why you would want to do that.
Ok cool, thanks for answering :) Though it feels it isn't directly mentioned, I think it would be a good point to be though as like you said, no one really wants to run queries without escaping, and it takes the load of the developer :)
Is sanitisation in place under the hood, or is it down to the developer the sanitise the input themselves?
The text was updated successfully, but these errors were encountered: