Do I need to check the format of binding arguments of a better-sqlite3 command

Question

Take a look at this code which uses better-sqlite3:

router.post('/auth', (req, res) => {
    var rc = req.params('code')
    var code_entry = db.prepare('SELECT * FROM pending_registrations WHERE code = ?').get(rc)
    if (code_entry === undefined) {
        res.send({ success: false })
    }

Do I need to verify that code parameter of the post query is correctly formatted? Is it possible for this code to malfunction if input is bad?

Worst that will happen is that it won't match anything. – Shawn Jan 06 '19 at 09:41 — Shawn, Jan 06 '19 at 09:41

score 2 · Accepted Answer · answered Jan 06 '19 at 15:18

2

SQL parameters do not need formatting; they are not inserted into the query text, but passed directly to the database. (This is the only practical way to handle blobs, which can literally contain anything.)

answered Jan 06 '19 at 15:18

CL.

173,858
17
217
259

Do I need to check the format of binding arguments of a better-sqlite3 command

1 Answers1