It's very easy to create security issues when using template literals....

For example

const email = 'test@acme.org';
const res = sql.query`select * from where email = ${email}`; <-- Sanitized
const res = sql.query(`select * from where email = ${email}`) <-- Not sanitized

Related:

• Single Quote in template literal is not sanitized. #1204

Expected behaviour:

Don't accept the () version.

Actual behaviour:

Using as a function -> doesn't sanitize !Risk !

Suggestion

Maybe take inspiration from Prisma (which fixed it in version 2.30 some time ago)

• release that fixed it: https://github.com/prisma/prisma/releases/tag/2.30.0 (with codemod)
• PR: Revisit prisma.$queryRaw("...") vs. prisma.$queryRaw template literal prisma/prisma#7142 (comment)
• doc: https://www.prisma.io/docs/concepts/components/prisma-client/raw-database-access#raw-queries-with-relational-databases

It would be nice to add a queryUnsafe part of the feature (the $queryRawUnsafe in prisma). That would be an escape hatch to give insights of the nature of the query

Software versions

• NodeJS:
• node-mssql: 10+
• SQL Server: