As a lesson on template strings, this is a good one. Don't sanitise SQL yourself, rely on whichever database lib you're using. It will likely use parameterisation which is driver/database level functionality.

SQL sanitizing is a good idea, but it has a weakness compared to prepared statements: The execution plan that is created by your database server for the sanitized SQL is only valid once and is discarded after your SQL was executed. Whereas a prepared statement can be reused with different parameters without having to generate a new execution plan.

I'm loving the short and direct to the subject videos.

Very interesting breakdown of the template string. Had completely forgotten about the backtick invocation.

I did see this syntax in some of libs, but never checked how it worked, very interesting video XD

This is good syntactic sugar, I didn't know about it until last week

Don't sanitize the tags yourself just replace the tags with the placeholder used by your db like '?' and return that plus the array of bind params. Then query your db by using the rendered query and the params extracted. Let the DB do the actual sanitization!

wow, this is such an interesting feature

Yes, this is just what I implemented for myself. Very powerful.

All the SQL comments below, while valid and good advice, are missing the point here, which is "this isn't string concatenation, so this isn't necessarily an instance of SQL injection".

Turn your sql strings into sql methods with often shared names (split off namespaces to prevent collisions or simply name the sql whateversql with the method being the whatever). Within the method perform needed sanitizing, validation with try catches as required for necessary error handling and your database, api calls are fine. From there it's more of a question of where you want to have that validation take place (client, server side). Use the parameterization method the database type calls for and have it interpolate as required (or interpolate as needed for the specific language you're using). Like with C# there is a type to value pairing on the value that is being interpolated/provided where you can define it as the database specific type that may not directly correspond with C# or the ansi model that is generally provided.

Thanks! It’s clear now!

i'm not convinced that function sanatize(strings, ...values) { return values.reduce((prev, cur, idx) => (prev + '"' + cur.replace(/"/g, '""') + '"' + strings[idx + 1]); } would actually successfully sanitize sql but I also can't see why it wouldn't 😭

Thanks Kyle

So much fun to troll the people who are trolling without knowing a single thing about what they're trolling and also they're wrong and makes them look like a fool

Hi, is your React course ALONE enough to go from zero to somewhat Pro in React or I still need other courses or resources too ? please let me know.

That's really cool! Until someone forgets to add the sql prefix!

If the string doesn't come from the user then it's OK. Every input that comes from the user should be sanitized (prepared statements or whatever your method is).

Didn’t Josh someone already cover this?

What if my id=`1"; DROP TABLE USERS;select "1` ?

What if I forgot to write sql`...`?

I'm not convinced making it almost indiscernible from an injection attack is the best api choice, even if it works.

for the 1st example, slugs should be generated by the server so they should be safe in theory even without sanitizing it.

People are so eager to criticize anything without even understanding what's going on!

Tough it seems to easy to forget the sql tag and have an SQL injection. Sure, linters will catch this (if properly configured), but I would avoid it, since it induces bad practices. Also if you want to execute more time the same query (e.g. multiple insert) this is inefficient, since it constructs each time a new query as a string, while when using prepared statements the query is parsed and optimized by the DBMS only a single time and then executed as many times you want with different parameters.

This is so bad... Please... Please... Don't anyone ever do this. Quoting a string isn't sanitizing. All the comments about "It's ok if it isn't user input"... Can you send me your resume so that I can make sure to never hire you? The SAFE way to do this would be to use the sql function to create a prepared statement replacing the arguments with the placeholder for your database (probably a ?) and then return the prepared statement. Or execute it and return the results, your choice. Note: I LOVE your videos and have learned a ton, just please don't roll your own SQL sanitizer again, even as an example. Too many people will think you are serious.

This is a VERY dangerous way to sanitize SQL, even if you write the perfect sanitization function. A developer has to remember NEVER to use parenthesis with that sql function you defined. If you use parenthesis such as this: id = "1 OR (1=1); DROP TABLE users;--" sql(`SELECT * FROM users WHERE id=${id}`) Then the function sql will receive a SINGLE argument that looks like this: "SELECT * FROM users WHERE id=1 OR (1=1); DROP TABLE users;--"

I am suprised that people are not aware of this espacilly after lit

Hopefully the tag function in question doesn't just wrap it in quotes like you did since you could just pass in a value with quotes in it to defeat it.

Like others have mentioned this is a good lesson on template strings but I still don't believe this is the right use case. I get that this approach gives access to your arguments to make them easier to sanitize but it still is the function's responsibility to sanitize it properly. Without a proper implementation for the sanitization function this approach will be vulnerable to SQL injections. Instead of re-inventing the universe every time, why not rely on the database library one is using or prepared statements which have already solved such problems?

im just wondering where is the paranthesis what happened to js?

Kyle Kyle kyle

Very good explanation on template string, but still, this is prone to error, it's just a big enough possibility for someone to forget about sanitizing. Prepared statements remains the way to go.

using on today code direct SQL statements is so unprofessional. why do you think are ORM invented? why do you think Microsoft Entity, Ruby on Rails Active Record or python Django ORM are for?

Man I swear... This whole 'good code' v 'bad code' is gonna cause a huge divide in the dev game... Like the whole east coast v west coast shit during 90s hip hop lol 😂 Me personally I'm hood code.. Like, if it works it works. If I EXECUTE and code works, job done lol

Good explanation of the JS featuere but your quote "sanitation" is terrible and doesnt prevent injections at all. Maybe it was just an example but imo it's a really bad one since it's not clear to beginners that that's not actually sanitizing anything.

Whilst it may work, this encourages bad practices that may cause one to repeat the same pattern in a different toolkit, that doesn't share the same "protection". Long term maintainability becomes questionable. For what gain? Just because you can do something, doesn't mean you should. I see a number prepared statement advocates here - again, worthy in some situations, but in many others it will make things slower. And it all depends on the database and the nature of each transaction. So stay away from assumed and dangerous practices, and don't optimize too early unless you have evidence to support your position.

I will never ever trust a frontend or "fullstack" dev with SQL queries lol

Too slim a difference for me 😅 I'm all in favour of getting people to just write SQL but this aint it.

Just because it's safe doesn't mean you should.

Why is this a valid js syntax. I hate JavaScript