Suppose I have a function that looks like the following (ignore any syntax errors here unless they are relevant to the question, I’m new to SQL):
// This function updates the database using the command passed as a parameter
const execute = async (command) => {
open({
filename: "test.db",
driver: sqlite3.Database,
}).then((db) => {
db.exec(command);
});
};
// Takes the user ID and their input and adds it to the database
const createBlogPost = async (userId, text) => {
await execute(`INSERT INTO posts (user_id, post) VALUES ("${userId}", "${text}");`)
}
There is nothing stopping the user from injecting their own SQL into the blog post text field. Wouldn’t they be able to execute any command they want as long as the syntax is correct? I’m wondering if there’s anything extra you’re supposed to do in order to prevent this, or if it’s best practice to just use an ORM rather than building your own SQL statements.
Many thanks.