DT
Drizzle Team14mo ago
bluesky

Is ilike vulnerable to SQL injections?

Modified from the post: https://orm.drizzle.team/docs/operators#ilike See code below: 
import { ilike } from "drizzle-orm";

const userInput = "asdf";
db.select().from(table).where(ilike(table.column, `%${userInput}%`));
import { ilike } from "drizzle-orm";

const userInput = "asdf";
db.select().from(table).where(ilike(table.column, `%${userInput}%`));
3 Replies
Gavin
Gavin14mo ago
I think you should be using the sql`` operator: https://orm.drizzle.team/docs/sql
Magical sql operator 🪄 - DrizzleORM
Drizzle ORM | %s
bluesky
blueskyOP14mo ago
Thank you, yes I'll try it, but I still wonder whether or not simply using the operator like this leaves the code vulnerable
Angelelz
Angelelz14mo ago
The sql operator protects from sql inyections
Want results from more Discord servers?
Add your server