Feature request: Parameterised SQL queries in VTL

[alextriaca]

There is currently no way to execute a parameterised SQL query against the Aurora data API in VTL. Without this all but the most simple queries cannot be executed in VTL. While there is a variableMap field which looks like it should be parameterised, it simply concatenates the strings and is just as vulnerable to SQLi. There is a broad misconception about this in the community (https://github.com/aws/aws-appsync-community/issues/60#issuecomment-546791723) as this separation is the standard way of parametrising queries in all other SQL libraries (including boto3).

Request - please can the variableMap field be converted to allow parameterised queries or a new parameters field be added that parameterises the query being made against Aurora.

[onlybakam]

Hello, this is now possible with:

• https://docs.aws.amazon.com/appsync/latest/devguide/resolver-reference-rds-js.html
• https://docs.aws.amazon.com/appsync/latest/devguide/resolver-mapping-template-reference-rds.html

we recommend using JavaScript resolvers to interact with your Aurora data source