Escaping parameters #25
Comments
|
Sure, please issue a PR with support and I'll look at it. |
|
Great - will work on it later this week. Regards! |
|
@ghdna sorry for the delay on this one, holidays got in the way. Please find below a draft pull request: I need to test it a bit more in the following days to make sure everything works fine. But the idea is to use a .query() second optional parameter or a query object key (described in the draft PR). Adds a dependency on SqlString. Please let me know what you think about the PR. Edit: I will update code documentation to reflect the availability of named bound parameters as well as array bound params. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Hi all
Apologies if this is not the right place to ask this, but I am wondering if there is straightforward way of adding parameter escaping for .quey()? Much like with other SQL implementations, Athena queries can also suffer from SQL injection, and as such, was wondering if athena-express should natively support bound parameters? Something like .query(sql, params), where sql = "SELECT * FROM table WHERE column = [?|:paramName]" and params is either an array of params to replace ? or an object with keys for param names (i.e.: {paramName: 'paramValue' }.
Edit: at the moment I am using https://www.npmjs.com/package/sqlstring, happy to issue a PR with native parameters support.
Regards,
Flaviu
The text was updated successfully, but these errors were encountered: