Using postgres and node-pg.
CALL schema.function(${sql})
function is a variadic function accepting an array. It is open to SQL injection. How can the injection case be resolved?
My stored procedure uses a custom type:
CREATE TYPE isf.event_array AS
(
"id" BIGINT,
"topic" CHARACTER VARYING(255),
"type" TEXT,
"setId" BIGINT,
"eventId" CHARACTER (36),
"eventType" CHARACTER VARYING(50),
"metadata" JSONB,
"payload" JSONB
);
END IF;
I understand the use of parametrised queries, however in this instance it needs to be passed an array.
Many thanks
CodePudding user response:
As always when dealing with passing dynamic values, use a parameterised query:
await client.query('CALL schema.function($1::json);', [JSON.stringify(arr)]);