Security
How pg-smart-search prevents SQL Injection, manages parameterized queries, and secures filter keys for enterprise use.
Security
Search engines are notorious for SQL Injection vulnerabilities because they dynamically construct queries based on user input. pg-smart-search (v1.1+) is built with an enterprise-grade security model.
Parameterized Queries
All user inputs (search terms, filters, cursor values) are passed as parameterized query values. The engine never interpolates raw input into the SQL string.
SqlSanitizer & Identifier Whitelist
While values are parameterized, SQL identifiers (table names, column names) cannot be parameterized in PostgreSQL.
To prevent injection via identifiers, the engine uses a strict whitelist system (SqlSanitizer):
tableNameandsearchColumnsare validated against the database schema at initialization.- If a developer accidentally passes untrusted input as a column name, the sanitizer throws a fatal error rather than executing the query.
Never construct searchColumns from req.query directly. Always map user
input to a predefined array of allowed columns.
Injection-Safe Filter Keys
When using dynamic filters (e.g., WHERE category = tech), the engine enforces strict typing and validation on filter keys. Keys must be explicitly defined in the engine configuration, making it impossible for an attacker to inject via filter objects.