Kysely•2y ago

Escaped paramaters in raw sql

For a few queries I made postgreSQL functions, this is the current way of how I call this function:

export async function getRandomAnswerByQuestionId({ questionId, answerLimit }: { questionId: string, answerLimit: number }) {
    return sql`SELECT * FROM get_random_answers(${sql.val(questionId)}, ${sql.val(answerLimit)})`.execute(databaseClient);
}

export async function getRandomAnswerByQuestionId({ questionId, answerLimit }: { questionId: string, answerLimit: number }) {
    return sql`SELECT * FROM get_random_answers(${sql.val(questionId)}, ${sql.val(answerLimit)})`.execute(databaseClient);
}

only thing I could find on the docs for .val is:

sql.val(value) is a shortcut for: sql<ValueType>${value}

while the others have warnings like:

WARNING! Using this with unchecked inputs WILL lead to SQL injection vulnerabilities. The input is not checked or escaped by Kysely in any way.

My question is, is my method of querying the function correct or are there better ways to query those? And are inputs escaped by using .val?

Solution:

That's fine, but you don't even need to use sql.val in this case https://kyse.link/?p=s&i=MEBVYcJHvb7Uj4c6chaI...

Jump to solution

2 Replies

Solution

koskimas•2y ago

That's fine, but you don't even need to use sql.val in this case https://kyse.link/?p=s&i=MEBVYcJHvb7Uj4c6chaI

NickOP•2y ago

Oh wow thats even better, thanks!

Gaming

Programming

Escaped paramaters in raw sql

Did you find this page helpful?