Code Room
Code reviewHardcr-g438
Subject Sql injectionLevel Senior–Staff~24 minCommon in Security · Databases & SQL interviewsIndustries Software development, Technology

Question

Review this Node Postgres endpoint that filters a JSONB column by a client-chosen key.

What a strong answer looks like

Separate real bugs from style. Rank issues by severity, point at the root cause rather than the symptom, and suggest a concrete fix — specific and kind.

Talk through your review
Code to reviewjs
async function findByAttr(pool, key, value) {  const sql = `SELECT id FROM events WHERE data->>'${key}' = $1`;  const { rows } = await pool.query(sql, [value]);  return rows;} app.get('/events', async (req, res) => {  const { attr, val } = req.query;  const rows = await findByAttr(pool, attr, val);  res.json(rows);});
Run or narrate your approach, then ask the coach.