Interpolating data into a SQL query like this is super dangerous. Since that query is used for a route it's possible a user could enter some SQL to be executed on your prod database. You should use the values array as the second argument to db.query even for SELECTs.
https://github.com/fac19/week5-EIJO/blob/a2c98b816c645a3a5c2064915e13cc3564d8dce0/model.js#L9-L13
Interpolating data into a SQL query like this is super dangerous. Since that query is used for a route it's possible a user could enter some SQL to be executed on your prod database. You should use the
values
array as the second argument todb.query
even forSELECT
s.