javascriptv3: update aurora-serverless-app to use paramaterized sql statements, Aurora Serverless (#7559)

Author: kellertk

javascriptv3/example_code/cross-services/aurora-serverless-app/src/handlers/post-items-handler.ts

@@ -11,10 +11,17 @@ const postItemsHandler: Handler = {
     ({ rdsDataClient }) =>
     async (req, res) => {
       const { description, guide, status, name }: Item = req.body;
+      const values = {
+        description: { StringValue: description },
+        guide: { StringValue: guide },
+        status: { StringValue: status },
+        name: { StringValue: name },
+      };
       const command = buildStatementCommand(
-        `insert into items (iditem, description, guide, status, username, archived)\nvalues ("${uuidv4()}", "${description}", "${guide}", "${status}", "${name}", 0)`,
+        `insert into items (iditem, description, guide, status, username, archived)
+         values ("${uuidv4()}", ":description", ":guide", ":status", ":name", 0)`,
+        values,
       );
-
       await rdsDataClient.send(command);
       res.status(200).send({});
     },

javascriptv3/example_code/cross-services/aurora-serverless-app/src/handlers/put-items-archive-handler.ts

@@ -9,9 +9,14 @@ const putItemsArchiveHandler: Handler = {
     ({ rdsDataClient }) =>
     async (req, res) => {
       const { itemId } = req.params;
-
+      const values = {
+        itemId: { StringValue: itemId },
+      };
       const command = buildStatementCommand(
-        `update items\nset archived = 1\nwhere iditem = "${itemId}"`,
+        `update items
+         set archived = 1
+         where iditem = ":itemId"`,
+        values,
       );
 
       await rdsDataClient.send(command);

javascriptv3/example_code/cross-services/aurora-serverless-app/src/statement-commands/command-helper.ts

@@ -1,14 +1,18 @@
 // Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 import { ExecuteStatementCommand } from "@aws-sdk/client-rds-data";
-import env from "../../env.json" assert { type: "json" };
+import env from "../../env.json" with { type: "json" };
 
-const buildStatementCommand = (sql: string) => {
+const buildStatementCommand = (
+  sql: string,
+  parameters?: { [key: string]: { [key: string]: unknown } },
+) => {
   return new ExecuteStatementCommand({
     resourceArn: env.CLUSTER_ARN,
     secretArn: env.SECRET_ARN,
     database: env.DB_NAME,
     sql,
+    [parameters ? "parameters" : ""]: [parameters],
   });
 };
 

javascriptv3/example_code/cross-services/aurora-serverless-app/tests/command-helper.unit.test.ts

@@ -12,4 +12,14 @@ describe("command-helper", () => {
       expect(command.input.sql).toBe(sql);
     });
   });
+  it("should create an ExecuteStatementCommand with the provided SQL statement and parameters", () => {
+    const sql = "select * from some_table where id = :id";
+    const parameters = {
+      id: { StringValue: "123" },
+    };
+    const command = buildStatementCommand(sql, parameters);
+    expect(command.constructor.name).toBe("ExecuteStatementCommand");
+    expect(command.input.sql).toBe(sql);
+    expect(command.input.parameters).toEqual([parameters]);
+  });
 });