KyselyK
Kysely3y ago
Nick

Escaped paramaters in raw sql

For a few queries I made postgreSQL functions, this is the current way of how I call this function:
export async function getRandomAnswerByQuestionId({ questionId, answerLimit }: { questionId: string, answerLimit: number }) {
    return sql`SELECT * FROM get_random_answers(${sql.val(questionId)}, ${sql.val(answerLimit)})`.execute(databaseClient);
}


only thing I could find on the docs for .val is:

sql.val(value) is a shortcut for:

sql<ValueType>${value}

while the others have warnings like:

WARNING! Using this with unchecked inputs WILL lead to SQL injection vulnerabilities. The input is not checked or escaped by Kysely in any way.

My question is, is my method of querying the function correct or are there better ways to query those? And are inputs escaped by using .val?
Solution
That's fine, but you don't even need to use sql.val in this case

https://kyse.link/?p=s&i=MEBVYcJHvb7Uj4c6chaI
Jump to solution
Was this page helpful?