I'm curious about the safety of using template literals for dynamic routes on the front end when working with Node.js. For example, in an Express route, it looks something like this:
app.get("/posts/:postID", (req, res) => {
// Retrieve post info from the database
});
Then on the front end, I have a function like this:
async function getPostInfo() {
const response = await fetch(`/posts/${postID}`);
const post = await response.json();
return post;
}
As long as I ensure that my Postgres queries are parameterized, is this a safe way to handle the request? I think it works, but I'm new to Node.js and worried about potential XSS attacks. Thanks for any help!
4 Answers
Using template literals is fine if you're sure postID is an integer. It becomes trickier if it’s a string. Make sure you’re not constructing your SQL queries by appending strings. Any good library or ORM should allow you to use placeholders in the query.
What are the concerns here? Why wouldn’t this approach be safe?
The frontend part doesn’t really matter because requests can be initiated without your front end. What really counts is that you properly parameterize your queries. Just keep in mind that users can request any post ID they want unless you set up additional restrictions.
Related Questions
How To: Running Codex CLI on Windows with Azure OpenAI
Set Wordpress Featured Image Using Javascript
How To Fix PHP Random Being The Same
Why no WebP Support with Wordpress
Replace Wordpress Cron With Linux Cron
Customize Yoast Canonical URL Programmatically