honeysql

Ryan Martin 2024-01-13T15:49:25.773719Z

are strings sanitized by honeysql, e.g. in insert statements? or do we have to do it ourselves

{:insert-into :users
              :values [{:user_id user-id
                        :email email
                        :password hashed}]
              :returning [:user_id]}

p-himik 2024-01-13T16:17:39.694339Z

HoneySQL doesn't do anything to escape anything - that's the job of the JDBC driver when executing a prepared statement. In that query, HoneySQL will convert all scalar values (apart from the keywords and any values wrapped in [:inline ...] or [:raw ...]) to parameters, and those will be correctly dealt with by the driver.

Ryan Martin 2024-01-13T17:55:29.751749Z

I see, thanks!