Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

The postgres code snippet is a text-book example of how to enable SQL injection attacks. Great performance from the Vercel marketing team.


I don't think you understand what the code is doing. That's a string templating function, not a raw templated string. `${formData.get('name')}` will get passed as a parameter in a var-arg, not stuck straight into the string.


Right. The code converts all expressions into $N-parameters. However Postgres does not support parameters in all locations, eg. this would fail:

   import { tableName } from "../shared"
   sql`SELECT * FROM ${tableName} WHERE id=${formData.get('id')}`
The @vercel/postgres package needs a big disclaimer that it works very differently from node-postgres and what is and is not allowed.


That would result in an error then, not an injection


They've looked at Postgres.js (https://github.com/porsager/postgres) before — wouldn't mind if they enabled those other cases in the same way.

Also, node-postgres is ripe for sql injections because you just concatenate strings yourself when using it...


> node-postgres is ripe for sql injections because you just concatenate strings yourself when using it...

Why the heck would you do that?

I guess for any library that accepts SQL, someone might concatenate strings rather than use the parameter handling.


The things I've seen because people don't want to learn an ORM's (or similar tech) API.


I mean that node-posgres doesn't encourage anyone to include parameter values through string concatenation, at least no more than porsager or other SQL-based clients.

Not sure what ORMs have to do with it. They do include a safe parameter substitution mechanism, but so do typical SQL-based clients.


It doesn't explicitly encourage you to do it, but it's very much right there - waiting to happen because you always just pass a string to the query function? In Postgres.js you have to use a function that is specifically named `unsafe` to do that.


The examples on https://node-postgres.com/features/queries clearly show how to use parametrized queries. Of course you /can/ concatenate strings, no library in the JS land will prevent you from doing that. But the examples are pretty clear how to do it correctly.


Well that's exactly what Postgres.js will do for you ;)




Consider applying for YC's Fall 2026 batch! Applications are open till July 27.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: