SQL injection prevention in raw queries

Using string concatenation to build SQL queries with user input creates SQL injection vulnerabilities. Attackers can manipulate queries to read or destroy database data.

Always use parameterized queries or prepared statements. In Node with pg: db.query SELECT FROM users WHERE id equals dollar1 with userId array. Never interpolate user strings into SQL.