pgdefault.js doesn't appear to treat the search parameter in the pg-promise recommended way

[Grammostola]

Never use ES6 template strings or manual concatenation to generate queries, as both can easily result in broken queries! Only this library's formatting engine knows how to properly escape variable values for PostgreSQL

pgdefault.js is one long manual concatenation but all values for tables and fields and other search table related details are part of the dbconfig.js for origo server, the only obvious place for injection attacks would be the search field.

" AS TEXT)) ILIKE LOWER('" + condition + "%')" + is how it currently looks and can be changed to employ an index variable so that the query(any) method employs the current string incl a $1 variable instead of condition that gets expanded via sending the condition in an array as the second argument. (possibly with a "%"suffix and without that % in the string)

[MattiasSp]

This is also the case in mssqldefault.js and in oracledefault.js, isn't it? All three cases would benefit from this I think.

[Grammostola]

Hi, hmm yes, looking at https://www.npmjs.com/package/mssql#es6-tagged-template-literals and https://oracle.github.io/node-oracledb/doc/api.html#examplequery I think there might be some room for potential improvement in all three. Could be healthy updating some of those dependancies too. I'm hoping to be able to spend some time on this this spring.