I can use literal in Sequelize to manually build a SQL query part:
sequelize.literal(`"foo".bar ILIKE '%baz%'`)
But if I want to add a var in this literal block, I now introduce SQL injection vulnerability:
sequelize.literal(`"foo".name ILIKE '%${myVar}%'`)
Is there a Sequelize way to protect variables in literal blocks?
You could use escape:
const escapedSearch = sequelize.escape(`%${myVar}%`);
sequelize.literal(`"foo".name ILIKE ${escapedSearch}`);
See: https://sequelize.org/master/class/lib/sequelize.js~Sequelize.html#instance-method-escape