are strings sanitized by honeysql, e.g. in insert statements? or do we have to do it ourselves
{:insert-into :users
:values [{:user_id user-id
:email email
:password hashed}]
:returning [:user_id]}HoneySQL doesn't do anything to escape anything - that's the job of the JDBC driver when executing a prepared statement.
In that query, HoneySQL will convert all scalar values (apart from the keywords and any values wrapped in [:inline ...] or [:raw ...]) to parameters, and those will be correctly dealt with by the driver.
I see, thanks!