I'm trying to insert a record into a table called email. I do not have all the values on hand when performing the INSERT. I'd like to retrieve some of those values from a table called provider. I managed to get it to work, but being fairly new I wanted to ask if this is safe from SQL injections?
const newEmailRecord = {
text: 'INSERT INTO email(col1, col2, col3, col4, col5, col6, col7) (SELECT $1, $2, prov_first_name AS col3, prov_email AS col4, $3, $4, $5 FROM provider WHERE prov_id=($6))',
values:[ var1, var2, var3, var4, var5, var6ProvId],
}
await client.query(newEmailRecord);
All the values potentially introduced from outside the application are bound to placeholders. This should be safe from SQL Injection attacks.