Node.jsframework~30 mins

Query parameterization for safety in Node.js - Mini Project: Build & Apply

Choose your learning style9 modes available

Learn Why Deep Visual Try Challenge Project Recall Perf

Query Parameterization for Safety in Node.js

📖 Scenario: You are building a simple Node.js app that fetches user data from a database. To keep the app safe from harmful attacks, you need to use query parameterization.This means you will write your database query so that user input is handled safely, preventing attackers from changing your query in bad ways.

🎯 Goal: Build a Node.js script that safely queries a database using parameterized queries to get user information by ID.

📋 What You'll Learn

Create a variable with a user ID value

Create a SQL query string with a placeholder for the user ID

Use a parameterized query method to safely insert the user ID into the query

Complete the database query call with the correct parameters

💡 Why This Matters

🌍 Real World

Using parameterized queries is a key practice to protect web applications from SQL injection attacks, which are common security threats.

💼 Career

Backend developers and full-stack developers must know how to safely query databases to protect user data and maintain application security.

Progress0 / 4 steps

Set up the user ID variable

Create a variable called userId and set it to the number 42.

Node.js

# Create a variable called userId and set it to 42
# Your code here

Need a hint?

Use const userId = 42; to create the variable.

Write the SQL query string with a placeholder

Create a variable called sqlQuery and set it to the string "SELECT * FROM users WHERE id = ?". This string uses ? as a placeholder for the user ID.

Node.js

const userId = 42;
# Create a variable called sqlQuery with the value "SELECT * FROM users WHERE id = ?"
# Your code here

Need a hint?

Use a string with a question mark ? where the user ID will go.

Use parameterized query method to insert user ID safely

Write a line that calls db.query with sqlQuery and an array containing userId as parameters. Use the form db.query(sqlQuery, [userId]).

Node.js

const userId = 42;
const sqlQuery = "SELECT * FROM users WHERE id = ?";
# Call db.query with sqlQuery and [userId] as parameters
# Your code here

Need a hint?

Pass the SQL string and an array with userId to db.query.

Complete the database query call with a callback function

Add a callback function as the third argument to db.query that takes error and results parameters. Inside the callback, write an if statement that checks if error exists, and if so, returns the error. Otherwise, it logs results.

Node.js

const userId = 42;
const sqlQuery = "SELECT * FROM users WHERE id = ?";
db.query(sqlQuery, [userId], (error, results) => {
  # Add error check and log results
  # Your code here
});

Need a hint?

Use a callback with (error, results) => { ... } and handle error and results inside.