Replies: 1 comment
-
+1 to this discussion. I have the same issue. |
Beta Was this translation helpful? Give feedback.
0 replies
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
-
I've read through the docs and it's unclear to me exactly when and how content is escaped in Drizzle. We have a basic search endpoint that accepts a query, on the back-end we build the condition like this:
(NOTE: I'm aware this is not the most efficient way to do searches, I'm not asking about that).
From my understanding from the docs, I think this works like this:
query
is"test"
%${query}%
becomes%test%
"%test%"
is passed as a value toilike(...)
%
(and maybe that's fine).Is this the safest way to build a string like that contains some database internal parts AND user input?
I've tried doing this with the
sql
operator too, but I get errors. If I do:I get a database syntax error at "%" -- okay. I see that. So then I quote it:
I then get an error "could not determine the type of parameter $1," again... okay that makes some sense I guess. So I try:
But that returns the same error as without a type. So I guess using
sql
is not the solution.Beta Was this translation helpful? Give feedback.
All reactions