pg-smart-search
Production

Security

How pg-smart-search prevents SQL Injection, manages parameterized queries, and secures filter keys for enterprise use.

Security

Search engines are notorious for SQL Injection vulnerabilities because they dynamically construct queries based on user input. pg-smart-search (v1.1+) is built with an enterprise-grade security model.

Parameterized Queries

All user inputs (search terms, filters, cursor values) are passed as parameterized query values. The engine never interpolates raw input into the SQL string.

SqlSanitizer & Identifier Whitelist

While values are parameterized, SQL identifiers (table names, column names) cannot be parameterized in PostgreSQL.

To prevent injection via identifiers, the engine uses a strict whitelist system (SqlSanitizer):

  • tableName and searchColumns are validated against the database schema at initialization.
  • If a developer accidentally passes untrusted input as a column name, the sanitizer throws a fatal error rather than executing the query.

Never construct searchColumns from req.query directly. Always map user input to a predefined array of allowed columns.

Injection-Safe Filter Keys

When using dynamic filters (e.g., WHERE category = tech), the engine enforces strict typing and validation on filter keys. Keys must be explicitly defined in the engine configuration, making it impossible for an attacker to inject via filter objects.