use-cql-select-template-strings

Rule Details

Discourages use of SELECT(`...`), which allows SQL injection attacks, in favor of SELECT `...`.

Version

This rule was introduced in @sap/eslint-plugin-cds 4.0.2.

Examples

✅ Correct example

In the following example, the where clause is a proper tagged template literal, so that the req.data.name expression can be validated before the SELECT is executed:

srv/admin-service.js

const cds = require('@sap/cds')
module.exports = class AdminService extends cds.ApplicationService { init() {
  const { Authors } = cds.entities('AdminService')

  this.before (['CREATE', 'UPDATE'], Authors, async (req) => {
    await SELECT`ID`.from `Authors`.where `name = ${req.data.name}`
  })

  return super.init()
}}

Open In Playground

❌ Incorrect example

In the following example, the where clause is not a proper tagged template literal as it's enclosed by parentheses. In consequence, the req.data.name expression cannot be validated but is added as is to the SELECT statement. This is prone to SQL injection attacks.

srv/admin-service.js

const cds = require('@sap/cds')
module.exports = class AdminService extends cds.ApplicationService { init() {
  const { Authors } = cds.entities('AdminService')

  this.before (['CREATE', 'UPDATE'], Authors, async (req) => {
    await SELECT`ID`.from `Authors`.where (`name = ${req.data.name}`) 
  })

  return super.init()
}}

Open In Playground

Rules Reference

Parts of 2025

All of 2024

All of 2023

All of 2022

All of 2021

All of 2020

use-cql-select-template-strings ​

Rule Details ​

Version ​

Examples ​

✅ Correct example ​