Menu
I can use literal in Sequelize to manually build a SQL query part:
sequelize.literal(`"foo".bar ILIKE '%baz%'`)
But if I want to add a var in this literal block, I now introduce SQL injection vulnerability:
sequelize.literal(`"foo".name ILIKE '%${myVar}%'`)
Is there a Sequelize way to protect variables in literal blocks?
381
You could use escape:
const escapedSearch = sequelize.escape(`%${myVar}%`);
sequelize.literal(`"foo".name ILIKE ${escapedSearch}`);
See: https://sequelize.org/master/class/lib/sequelize.js~Sequelize.html#instance-method-escape
122
You may use replacements and ? to avoid sql injections:
sequelize.query(`"foo".name ILIKE '%?%'`,
{ replacements: [myVar], type: sequelize.QueryTypes.SELECT }
)
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
