sqlite-worker: Problem injecting into query

Hi,

For some reason, the following throws an error:

let table = 'todos';
await all`SELECT * FROM ${table} `

It seems strings can’t be injected into backtick quotes when querying, but they do work when executing. Am I doing something wrong?

Thanks

About this issue

  • Original URL
  • State: closed
  • Created 3 years ago
  • Comments: 26 (14 by maintainers)

Most upvoted comments

Also, to be honest, this would just work:

await query`CREATE TABLE IF NOT EXISTS TEST54 (Property text not null,Value text not null)`;

so you have all options in here.

+1
WebReflection on Jul 22, 2021

You can’t create raw parts of the query unless you use the raw utility, see: https://github.com/WebReflection/sqlite-tag#api

the raw utility is also not possible via Worker, you need a direct handler, as described in here: https://github.com/WebReflection/sqlite-worker#after-initialization-helpers

Alternatively, you can use static-params to implement your raw helper anywhere you like, including the worker.

In few words, you have discovered that this module is SQL Injection safe by default.

+1
WebReflection on Jul 20, 2021
Read more comments on GitHub
← sqlite-worker: OOM
uhtml: This sequence of renders crashes in both V3 and V4 →