executing complete insert #650

MarcRohrer · 2023-07-24T12:21:46Z

MarcRohrer
Jul 24, 2023

Hi,

this should be trivial, but for the life of me, I cannot figure out, how you intended this tho work.
I have an array with insert statemens completely generated fron various sources. Finally, currently already I struggle with the first one.
My insert statement runs fine within pgAdmin and fine when I have it as a constant within the insert.
But as soon as I do

await sql`${insertStatements[0]}`

I get:

PostgresError: Syntaxfehler bei »'$1'«

Of course, there will be a whole bunch of inserts but with no dynamic parameters at all.
All inserts are prebuilt.

How can I do that?

best wishes!

Marc

Answered by porsager

Jul 24, 2023

Hi @MarcRohrer .

If you already have a string you want to run as a query, there is no way to have Postgres.js help you ensure you're doing something safe, and not accidentally eg. allowing sql injection, therefore the method is called unsafe. Check out https://github.com/porsager/postgres#await-sqlunsafequery-args-options---result

Postgres.js mainly works by letting you compose your queries using tagged template literals, also to avoid sql injection and unsafe query creation. Did you read the beginning of the README.md, specifically https://github.com/porsager/postgres#await-sql---result ? Do you have any recommendations for how you think it could be better explained? I'm sorry to hear yo…

View full answer

porsager · 2023-07-24T12:26:59Z

porsager
Jul 24, 2023
Maintainer

Hi @MarcRohrer .

If you already have a string you want to run as a query, there is no way to have Postgres.js help you ensure you're doing something safe, and not accidentally eg. allowing sql injection, therefore the method is called unsafe. Check out https://github.com/porsager/postgres#await-sqlunsafequery-args-options---result

Postgres.js mainly works by letting you compose your queries using tagged template literals, also to avoid sql injection and unsafe query creation. Did you read the beginning of the README.md, specifically https://github.com/porsager/postgres#await-sql---result ? Do you have any recommendations for how you think it could be better explained? I'm sorry to hear you didn't find that intuitive / straight forward.

1 reply

MarcRohrer Jul 24, 2023
Author

Hi @porsager,

thanx for the ultrafast reply!

You are absolutely right, safetywise!
This initially was what drew me to Postgres.js in the first place :-)
When I pursue the javascript version, I will most probably do that.

For me it absolutely would have helped, if the topic would have been listed in the TOC.
I looked there multiple times, but I could not find anything.

Certain use cases outside of the "traditional" Web domain, eg. an ETL process do
not require the extra safety I suppose. But once one got used to using it,
it might be better anyway.

But I already have the code for transforming the data, so for a proof of concept
this should suffice.

Thank you very much for your kind help!

Marc

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

executing complete insert #650

{{title}}

Replies: 1 comment 1 reply

{{title}}

{{title}}

Select a reply

executing complete insert #650

MarcRohrer Jul 24, 2023

Replies: 1 comment · 1 reply

porsager Jul 24, 2023 Maintainer

MarcRohrer Jul 24, 2023 Author

MarcRohrer
Jul 24, 2023

Replies: 1 comment 1 reply

porsager
Jul 24, 2023
Maintainer

MarcRohrer Jul 24, 2023
Author