
Show HN: PgTyped – Typesafe SQL – TypeScript types generator for raw SQL queries - alde
https://github.com/adelsz/pgtyped
======
philipkiely
Very interesting. If processing a query off of user input, what mechanisms
have you implemented/do you plan to implement to prevent SQL injection? If
that is not within the scope of this library, what additional package(s) would
you recommend using in partnership with this library to prevent SQL injection?

~~~
alde
PgTyped doesn't include a query executor. It transforms a query and its
parameters into a format of parametrized query+parameter bindings, which are
then sent into a Postgres DB driver of your choice. A proper DB driver sends
the query+parameter bindings pair to the DB. This means that the actual
parameter substitution is done on the Postgres server and so SQL injections
are prevented on the DB server side. The driver we recommend and use is node-
postgres. It does support parametrized query passing.

------
Findeton
Have you looked into other options like Strontium?
[https://github.com/StrontiumJS/Framework/blob/master/tests/q...](https://github.com/StrontiumJS/Framework/blob/master/tests/query/drivers/SQLFilterCompiler.spec.ts)

