Escaped paramaters in raw sql
For a few queries I made postgreSQL functions, this is the current way of how I call this function:
only thing I could find on the docs for .val is:
sql.val(value) is a shortcut for:
sql<ValueType>${value}
while the others have warnings like:
WARNING! Using this with unchecked inputs WILL lead to SQL injection vulnerabilities. The input is not checked or escaped by Kysely in any way.My question is, is my method of querying the function correct or are there better ways to query those? And are inputs escaped by using .val?
Solution:Jump to solution
That's fine, but you don't even need to use
sql.val
in this case
https://kyse.link/?p=s&i=MEBVYcJHvb7Uj4c6chaI...2 Replies
Solution
That's fine, but you don't even need to use
sql.val
in this case
https://kyse.link/?p=s&i=MEBVYcJHvb7Uj4c6chaIOh wow thats even better, thanks!