[Sorreah]

I'd much rather read a straightforward example like that in an intro, then reading the complicated prepared statement when going through what's essentially pseudocode.

There are valid cases where you're sure that the thing you're looking at is a valid id (ie. you already pulled it out of the database or by generating it yourself), not every program is a webapp that's handling user input, and examples like this aren't meant to teach you best security practices.

And yes the login system example would be acceptable if you're discussing something entirely unrelated to actually implementing one.

[Klathmon]

I think the disconnect here is that a prepared statement isn't really more complicated. As pseudocode it's more like

    dbquery('select * from friends where user_id = $1', userId)

A few extra characters is all it takes.

And the benefits of prepared or parameterized statements don't end at security, they can often have performance benefits as well.

And as for the login pseudocode, if it doesn't have anything to do with the example, hide the implementation:

    if (userIsAuthenticated === true) { login() }

[josephg]

I've been enjoying sql-template-strings lately, which build on ES6 tagged template literals so you get the best of both worlds:

    dbquery(sql`select * from friends where user_id = ${userId}`)

https://www.npmjs.com/package/sql-template-strings

[Klathmon]

(not sure why you are getting downvoted, but...)

Template strings are the one ES2015 feature I still really haven't used much. And this almost seems like a textbook use case for them! I'll need to give this a shot in a toy project and see if I can't get my own version hacked together for support with my favorite database interface library in node (pg-promise)