Open ali-7 opened 5 years ago
simple example
const sql= 'INSERT INTO users(name, email) VALUES($1, $2)'
const values = ['ali', 'ali@ali.com']
pool.query(sql, values, (err, res) => {
if (err) console.log(err)
console.log(res.rows) // { name: 'ali', email: 'ali@ali.com' }
})
or
const sql= {
text: 'INSERT INTO users(name, email) VALUES($1, $2)',
values: ['ali', 'ali@ali.com'],
}
pool.query(sql, (err, res) => {
if (err) console.log(err)
console.log(res.rows) // { name: 'ali', email: 'ali@ali.com' }
})
Why use Parameterized Query
1- The most important reason to use parameterized queries is to avoid SQL injection attacks. 2- Secondly parameterized query takes care of scenario where sql query might fail for e.g. inserting of O'Baily in a field. Parameterized query handels such query without forcing you to replace single quotes with double single quotes.
https://stackoverflow.com/questions/4712037/what-is-parameterized-query
Noticed ,, Thanks @ali-7
https://github.com/FACG6/productApp/blob/036198c947adbdf06838e02328cb3be0d4db6187/src/queries/addData.js#L3-L5
this query here are vulnerable to SQL injection, you need to use parameterized query
your query well look like this