Use parameterized queries in SQL connectors

We should use parameterized SQL commands instead of string concatenation in all our SQL-based connectors. 

Advantages:
- No space for introducing SQL injection vulnerabilities. All user-provided values are always encoded by the SQL engine.
- Parameterized SQL queries have significantly better performance, as the same querying plan can be used for all queries independently of parameter values. For queries built manualy via string concatenation, at least some SQL servers (MS SQL, IIRC) will build a new querying plan for each statement.

Connectors to fix:
- [ ] loopback-connector-mysql
- [ ] loopback-connector-postgresql
- [ ] loopback-connector-oracle
- [ ] loopback-connector-mssql


Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Use parameterized queries in SQL connectors #983

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Use parameterized queries in SQL connectors #983

Description

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions