SQL Injection

So here is what i have understand,

• suppose you have created an endpoint for signup which looks like this

  
   app.post("/signup" ,async (req,res)=>{
   const username = req.body.username;
   const password = req.body.password;
   const email = req.body.email;
   try{
   const insertQuery = `INSERT into users (username,email,password) VALUES ('${username}', '${password}', '${email}') `
   const response = await pgClient.query(insertQuery)
   res.json({
   message:"You have successfully signed up!"
   })
   }catch(e){
   res.status(404).json({
   message:"Error while signing up!"
   })
   }
   })
  

  this is the endpoint that we have created for the user to signup and the it looks fine tho. but the main issue with this type of code is the 'sql injection' suppose we went to the postman and send the data from there and the data looks like this

  {
   "username":"harry",
   "email":"[email protected]",
   "password":"''; DELETE FROM users;"
   }

  here clearly you can see that inside the password key we have passed the thing to delete all the users from the database and it is fully valid syntax in the database which results into the deletion of all the users from our database So to avoid there types of SQL injection we will use the insertQuery like this

  const insertQuery = `INSERT into users (username,email,password) VALUES ($1, $2, $3) `

  here you can see that we are not inserting the things as it is in the Database infact here we are using random variables and then when we are talking with the database then we will give the value array as a second argument like this

  const response = await pgClient.query(insertQuery,[username,password,email])
  

  
  So this is what the SQL Injection is and the way to solve this injection 🙂

  Note : Hope you have understood the things that i have mentioned btw this is my first time writing article