Does pg (node-postgres) automatically sanitize data

node.js pg node-postgres
Luke Schlangen picture Luke Schlangen · Jan 4, 2017 · Viewed 10.7k times · Source

I am using node-postgres for a production application and I am wondering if there is anything I should be concerned about? Is the data sanitized automatically by node-postgres?

I couldn't find anything about it on the github page: https://github.com/brianc/node-postgres

Answer

Tuan Anh Tran picture Tuan Anh Tran · Jan 4, 2017

Absolutely! The parameterized query support in node-postgres is first class. All escaping is done by the postgresql server ensuring proper behavior across dialects, encodings, etc... For example, this will not inject sql:

client.query("INSERT INTO user(name) VALUES($1)", ["'; DROP TABLE user;"], function (err, result) {
  // ...
});

This is from their documentation.

Related questions

pg.connect not a function?

There appears to be a lot of documentation (e.g. https://devcenter.heroku.com/articles/heroku-postgresql#connecting-in-node-js, but also elsewhere including this site) indicating that the proper method of connecting with the pg.js Node package is using pg.connect. …

Read More
"Error": "invalid input value for enum" only when using pg package in application to do INSERT SQL operation

I am beginning to build out the user authentication part of my application and I am using PostgreSQL as my database. I have a table set up in PG with the following code. This is the code I used to …

Read More
How do I update Node.js?

I did the following to update my npm: npm update npm -g But I have no idea how to update Node.js. Any suggestions? (I'm using Node.js 0.4.1 and want to update to Node.js 0.6.1.)

Read More