I am trying to make my sql statements more secure for an API that I am developing. While I know that there are ORM tools that make this easier, I am new at this and want to understand the basics, and best practices. I first created an sql statement that concatenated the values into a string. It was recommended in a previous post of mine that it would leave me vulnerable to SQL injections. I tried the recommended approach but was not successful. The question mark used as a placeholder was never replaced with the value i was trying to pass it.
Note: although related, it is not a duplicate of [Passing a node.js parameter in sql query. The usage and solutions are slightly different.
Any help would be greatly appreciated!
I have tried several ways but each time the ? was never replaced. I can see this in the console. I also logged the value of 'id' to make sure that there was a value to be passed at that level in the functions scope.
Note: this originated from the following issue: How do I insert a value into a select statement using JavaScript, specifically when using express and postgres?
This works but is not very safe...
return db.query(`SELECT * FROM users WHERE id = ${id}`);
None of the following worked...
return db.query('SELECT * FROM `users` WHERE `id` = ?',['id']);
return db.query('SELECT * FROM users WHERE id = ?',['id']);
return db.query('SELECT * FROM users WHERE id = ?',[id]);
return db.query('SELECT * FROM users WHERE id = ?',id);
return db.query(`SELECT * FROM users WHERE id = ?`,id);
Each time the console shows the following...
QUERY: SELECT * FROM users WHERE id = ?
db.js$1,$2etc