Security issue with code in "Reading Data" section: SQL injection

[palbcn]

There is a code security issue with the contents of Week 20 "Database 3: More integration with NodeJS". In the section "Reading Data" under the paragraph "Another functionality which could be useful is to filter the hotel with a keyword to be able to search for a specific hotel name", the code uses external data directly into a SQL statement, making it a very bad example because of its risk of an SQL injection attack. It should be corrected, or maybe, better, it could be used as an example to explain what an SQL injection attack is, and how to prevent it.

[fenech]

I was just about to mention this too. Yesterday I was working with one of the students and they used something like this in their code - I guess they based what they did on this example.