Best way to bind object values to sql queries #13382

ghost · 2024-08-18T09:52:44Z

ghost
Aug 18, 2024

I'm just wondering if there is a better way to bind object values to SQL queries.

For example, let's say I have the following object:

const user = {
  name: 'Joe',
  email: '[email protected]',
}

I want to insert these values into the DB.

I can do this:

db.query(`insert into users (name, email) values (${name}, ${email});`).run()

But this is vulnerable to injection, right?

So if I use bindings, I can do this:

db.query(`insert into users (name, email) values ($name, $email);`).run({
  $name: user.name,
  $email: user.email,
})

However, I've also passed the object directly into the query string, which I didn't see documented but works for some weird reason:

let bindings = {};

  for (const key in user) {
    bindings[`:${key}`] = user[key]
  }

db.query(`insert into users (${Object.keys(user)}) values (${Object.keys(bindings)});`).run(bindings)

I'm just wondering, is my last example the best and most concise way of doing it, or is there a better way?

staabm · 2024-08-18T11:03:21Z

staabm
Aug 18, 2024

Sqlite?

https://bun.sh/docs/api/sqlite

0 replies

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Best way to bind object values to sql queries #13382

{{title}}

Replies: 1 comment

{{title}}

Select a reply

Best way to bind object values to sql queries #13382

ghost Aug 18, 2024

Replies: 1 comment

staabm Aug 18, 2024

ghost
Aug 18, 2024

staabm
Aug 18, 2024