Hacker News new | ask | show | jobs
by Klathmon 3319 days ago
I think the disconnect here is that a prepared statement isn't really more complicated. As pseudocode it's more like

    dbquery('select * from friends where user_id = $1', userId)
A few extra characters is all it takes.

And the benefits of prepared or parameterized statements don't end at security, they can often have performance benefits as well.

And as for the login pseudocode, if it doesn't have anything to do with the example, hide the implementation:

    if (userIsAuthenticated === true) { login() }
1 comments
josephg 3319 days ago
I've been enjoying sql-template-strings lately, which build on ES6 tagged template literals so you get the best of both worlds:

    dbquery(sql`select * from friends where user_id = ${userId}`)
https://www.npmjs.com/package/sql-template-strings
link
Klathmon 3319 days ago
(not sure why you are getting downvoted, but...)

Template strings are the one ES2015 feature I still really haven't used much. And this almost seems like a textbook use case for them! I'll need to give this a shot in a toy project and see if I can't get my own version hacked together for support with my favorite database interface library in node (pg-promise)

link