SQL built from request params
User input is concatenated into a query string. Parameterized queries or an ORM bound parameter removes injection risk.
Before
const q = "SELECT * FROM users WHERE email = '" + req.body.email + "'";Suggested direction
const q = 'SELECT * FROM users WHERE email = $1';
await db.query(q, [req.body.email]);