how to use ilike securely?

ilike(table, sql%${userQuery}%) produces the wrong SQL code by adding quotes around the userQuery text. however we can't use sql.raw as it would make this suceptible to sql injection. how can we interpolate user provided for ilike ? Thx
3 Replies
Tim (from typesafe.courses)
ilike(table, %${query}% is a not a valid SQL fragment => '%'queryText'%' instead of '%queryText%'
Angelelz
Angelelz14mo ago
sql`${"%" + userQuery + "%"}`
sql`${"%" + userQuery + "%"}`
Want results from more Discord servers?
Add your server