Gift that keeps on giving

DB statement by string concat? Seriously?!

@possum It's a tagged template so I'm hoping that sql function fills a prepared statement internally

Joke is SQL in dem frontend but for me it's the general React shit that is a joke. It's not funny the world uses it. End of times

Do y'all have an actual footgun or vuln to point out or are you just bitching about the lack of an API endpoint and a model that contribute nothing to the app and just copy values over?

@lorentz Im just laughing at what is becoming from a "Simple client side UI library for making reusable components".

Architecture? Fuck reusability and concerns separation

@TeachMeCode I think this is just a batteries-included example

@AlgoRythm probably, would hope to never see that in a real codebase. But everything has its use

@TeachMeCode What concerns are there to separate, what elements to reuse in this example? From the DOM to the DB, everything shares the same concern of adding a bookmark. When the second use case arises that needs to add a bookmark, you can break the DB call out to a function. I swear, I can't imagine a more cargo cult complaint about this tech.

@lorentz everything has its place including this sql query living in the jsx, I just felt a bit triggered seeing a db query in jsx and posted without thinking much. That’s what happens when you’re on a few hrs of sleep lol. I also did some digging and found out this is Next.js which is react that starts from the server so the sql query makes sense to me now.

My separation of concerns “concern” was seeing sql embedded in what i thought was vanilla react code (the UI generally shouldn’t be aware of the db) but it’s totally forgivable now that I know its server rendered.

😳

It’s yucky but just to clarify:

This is NOT an sql injection issue

There’s been so much rage about this on twitter, based on incorect assumptions that this is sql injection hell

this blogpost explains Vercel sql template strings handles args separately

https://t.co/ZfJUfjwmT9