node.js - How to properly escape raw SQL query (plainto_tsquery) in Postgres / node -

node.js - How to properly escape raw SQL query (plainto_tsquery) in Postgres / node -

i'm writing raw sql query implement postgres total text search in node backend. i've looked through official docs, state:

plainto_tsquery transforms unformatted text querytext tsquery. text parsed , normalized much to_tsvector, & (and) boolean operator inserted between surviving words.

but i'm not familiar plenty different sql injection techniques know whether next escaped:

'select * "products" "catalog_ts_vector" @@ plainto_tsquery(\'english\', ' + search_term + ')'

the user able come in whatever search_term want via uri.

do need farther escaping/manipulation, or functionality baked plainto_tsquery() , other postgres safeguards?

edit

as side note, plan strip out non-alphanumeric characters (including parentheses) .replace(/[^\w-_ .\&]|\(\)/g, ' '); should go long way, i'm still curious if necessary.

most you're using pg module postgresql client node.js. in case don't need worry sql injection, pg prevents you. not utilize string concatination create query, utilize parameterized queries (or prepared statement):

var sql = 'select * "products" "catalog_ts_vector" @@ plainto_tsquery(\'english\', $1)'; var params = [search_term]; client.query(sql, params, function(err, result) { // handle error , result here });

also @ prepared statment part of pg wiki , postgresql prepare statement.

upd sequelize - uses pg module default, can specify preferable pg client in dialectmodulepath config parameter (see here). can utilize parameterized queries in sequelize too. improve - can utilize named parameters. code be:

var sql = 'select * "products" "catalog_ts_vector" @@ plainto_tsquery(\'english\', :search_term)'; var params = { search_term: search_term } sequelize.query(sql, product, null, params).then(function(products) { // handle products here })

where product sequelize product model.

node.js postgresql security sql-injection