
SQL Injection in Node.js - ForbesLindesay
https://www.atdatabases.org/blog/2019/07/29/sql-injection-in-node
======
mcv
I'm not entirely sure what the point of this is. Do we want people to write
code that looks unsafe and raises red flags?

~~~
ForbesLindesay
No, the point is that people do write code that is unsafe. A cursory glance at
recent stack overflow questions tagged with "node.js" and "sql" shows many
questions and answers with SQL Injection vulnerabilities.

By providing an API that makes it virtually impossible to create an SQL
Injection vulnerability, we can allow novices to write code safely. Once you
know what the `sql` tag is doing, it's really easy to review the code and be
confident it isn't vulnerable.

~~~
mcv
Until you accidentally leave out that `sql` tag. Or will that now generate an
error?

~~~
ForbesLindesay
Yes, as it says in the article. The tag returns a class that's an instance of
SQLQuery. All the @databases clients only accept SQLQuery instances and don't
accept strings. This means you get a runtime error if you're using JavaScript,
and a type error at build time if you're using TypeScript.

