Does pgx implement a way to prevent SQL Injections? #2099
-
|
I found this documentation on how the sql library prevents SQL injection. Does the pgx have something similar to the method they introduce? Thank you for any help on the matter. |
Beta Was this translation helpful? Give feedback.
Replies: 1 comment 3 replies
-
|
Yes, if you are using $1, $2, etc. then SQL injection is prevented. pgx uses the PostgreSQL extended protocol / prepared statements by default where the SQL string and the arguments are passed separately to the PostgreSQL database. When using the simple protocol, pgx handles variable sanitization and interpolation. |
Beta Was this translation helpful? Give feedback.
-
|
Awesome thank you so much for the reply. Does that also apply to named arguments as well? |
Beta Was this translation helpful? Give feedback.
-
|
Named arguments? If you mean pgx's https://pkg.go.dev/github.com/jackc/pgx/v5#NamedArgs then yes. Otherwise, PostgreSQL doesn't support named arguments directly. Everything is $1, $2, etc. If whatever you are using eventually converts to $1 style then it is safe. |
Beta Was this translation helpful? Give feedback.
-
|
Yes I meant that. Thank you |
Beta Was this translation helpful? Give feedback.
Yes, if you are using $1, $2, etc. then SQL injection is prevented. pgx uses the PostgreSQL extended protocol / prepared statements by default where the SQL string and the arguments are passed separately to the PostgreSQL database. When using the simple protocol, pgx handles variable sanitization and interpolation.