I am trying to implement search with pg_trgm
module in PostgreSQL on project written with TypeScript and TypeOrm.
SQL what works for me looks like this:
SELECT t, similarity(t, 'word') AS sml
FROM test_trgm
WHERE t % 'word'
ORDER BY sml DESC, t;
But when I started integrate it in my builder I realize that that I can't protect select statement from SQL injection since TypeOrm doesn't offer to bind parameter in any of select methods (such as SelectQueryBuilder::addSelect
, SelectQueryBuilder::select
).
Example of my vulnerable method:
...
applySearch(builder: SelectQueryBuilder<any>, needle: string) {
if (needle) {
builder.addSelect(`similarity(title, ${needle})`);
builder.andWhere('title % :needle', { needle });
}
}
...
Maybe somebody know better way to realize this search in my technology stack?
The decision of this issue was to use same binding key in where
and select
statements in next way.
applySearch(builder: SelectQueryBuilder<any>, needle: string) {
if (needle) {
builder.addSelect(`similarity(title, :needle)`);
builder.andWhere('title % :needle', { needle });
}
}