Today I Learned

To prevent SQL injection in Node.js, use parameterized queries with a database library, such as pg for PostgreSQL or mysql2 for MySQL.

Example using pg for PostgreSQL:

const { Client } = require('pg');

// Bad: Concatenation (vulnerable to SQL injection)
const insecureQuery = `SELECT * FROM users WHERE username = '${inputUsername}'`;

// Good: Parameterized query (prevents SQL injection)
const secureQuery = 'SELECT * FROM users WHERE username = $1';
const values = [inputUsername];

const client = new Client();
client.connect();

client.query(secureQuery, values, (err, result) => {
  // Handle the query result
  client.end();
});

By using parameterized queries, you avoid directly interpolating user input into SQL statements, reducing the risk of SQL injection.