The postgres code snippet is a text-book example of how to enable SQL injection attacks. Great performance from the Vercel marketing team.
I don't think you understand what the code is doing. That's a string templating function, not a raw templated string. `${formData.get('name')}` will get passed as a parameter in a var-arg, not stuck straight into the string.
Right. The code converts all expressions into $N-parameters. However Postgres does not support parameters in all locations, eg. this would fail:
import { tableName } from "../shared"
sql`SELECT * FROM ${tableName} WHERE id=${formData.get('id')}`
The @vercel/postgres package needs a big disclaimer that it works very differently from node-postgres and what is and is not allowed.They've looked at Postgres.js (https://github.com/porsager/postgres) before — wouldn't mind if they enabled those other cases in the same way.
Also, node-postgres is ripe for sql injections because you just concatenate strings yourself when using it...