chore: use paramaterized sql statements

Author: kellertk

javascriptv3/example_code/cross-services/aurora-serverless-app/src/handlers/post-items-handler.ts

@@ -11,10 +11,17 @@ const postItemsHandler: Handler = {
     ({ rdsDataClient }) =>
     async (req, res) => {
       const { description, guide, status, name }: Item = req.body;
+      const values = {
+        description: { StringValue: description },
+        guide: { StringValue: guide },
+        status: { StringValue: status },
+        name: { StringValue: name },
+      }
       const command = buildStatementCommand(
-        `insert into items (iditem, description, guide, status, username, archived)\nvalues ("${uuidv4()}", "${description}", "${guide}", "${status}", "${name}", 0)`,
+        `insert into items (iditem, description, guide, status, username, archived)
+         values ("${uuidv4()}", ":description", ":guide", ":status", ":name", 0)`,
+        values
       );
-
       await rdsDataClient.send(command);
       res.status(200).send({});
     },

javascriptv3/example_code/cross-services/aurora-serverless-app/src/statement-commands/command-helper.ts

@@ -1,14 +1,15 @@
 // Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 import { ExecuteStatementCommand } from "@aws-sdk/client-rds-data";
-import env from "../../env.json" assert { type: "json" };
+import env from "../../env.json" with { type: "json" };
 
-const buildStatementCommand = (sql: string) => {
+const buildStatementCommand = (sql: string, parameters?: { [key: string]: { [key: string]: unknown}}) => {
   return new ExecuteStatementCommand({
     resourceArn: env.CLUSTER_ARN,
     secretArn: env.SECRET_ARN,
     database: env.DB_NAME,
     sql,
+    [parameters ? "parameters" : ""]: [parameters]
   });
 };