Closed aaronyo closed 7 years ago
felixfbecker
commented
7 years ago I would say the best option would be to ask the driver to only accept object arguments and throw on plain strings. Most drivers also don't allow multiple statements in the same query without an explicit option.
aaronyo
commented
7 years ago So if I'm using node-pg, by "ask the driver to only accept object arguments" you mean monkey patch it? It does seem that monkey patching node-pg Client.query is pretty common, though I generally try to just stick with the interface...
Thank you for the suggestion. I'll go ahead and close this as I don't think there's a next step.
felixfbecker
commented
7 years ago No, by asking I meant opening an issue/PR at the repo to add support for that
If I forget to add the 'SQL' tag in front of a template string, the sql statement may still work but is now susceptible to injection.
Any thoughts on this? I can think of some work arounds, like making an eslint plugin or wrapping pg.query inside a safety helper method. Not great solutions, though.
Perhaps I'm missing better ways to minimize this concern? I really like the syntax of using template strings here, but I don't like that such an easy mistake could leave me vulnerable.