Is ilike vulnerable to SQL injections?

import { ilike } from "drizzle-orm";

const userInput = "asdf";
db.select().from(table).where(ilike(table.column, `%${userInput}%`));

import { ilike } from "drizzle-orm";

const userInput = "asdf";
db.select().from(table).where(ilike(table.column, `%${userInput}%`));

3 Replies

Gavin•12mo ago

I think you should be using the sql`` operator: https://orm.drizzle.team/docs/sql

Drizzle ORM | %s

bluesky•12mo ago

Thank you, yes I'll try it, but I still wonder whether or not simply using the operator like this leaves the code vulnerable

Angelelz•12mo ago

The sql operator protects from sql inyections