Question: Sanitisation

[ebebbington]

Is sanitisation in place under the hood, or is it down to the developer the sanitise the input themselves?

[jakajancar]

If you use placeholders in queries ($1, $2, ...) and pass the values as the second argument to ‘query()’, you do not need to do (and should not do) any escaping. The values are encoded and sent to the server separately from the query.

If you were to insert the values directly into the query, you would need to escape them yourself as per postgres' syntax. But I don't know why you would want to do that.

[ebebbington]

Ok cool, thanks for answering :) Though it feels it isn't directly mentioned, I think it would be a good point to be though as like you said, no one really wants to run queries without escaping, and it takes the load of the developer :)