I am using node-postgres
for a production application and I am wondering if there is anything I should be concerned about? Is the data sanitized automatically by node-postgres
?
I couldn't find anything about it on the github page: https://github.com/brianc/node-postgres
Absolutely! The parameterized query support in node-postgres is first class. All escaping is done by the postgresql server ensuring proper behavior across dialects, encodings, etc... For example, this will not inject sql:
client.query("INSERT INTO user(name) VALUES($1)", ["'; DROP TABLE user;"], function (err, result) { // ... });
This is from their documentation.