fix(postgres-emitter): use parameterized query to send the NOTIFY command

darrachequesne · darrachequesne · commit a227038facce · 2025-09-05T07:10:03.000+02:00
diff --git a/packages/socket.io-postgres-emitter/lib/index.ts b/packages/socket.io-postgres-emitter/lib/index.ts
@@ -380,9 +380,10 @@ export class BroadcastOperator<
         document.type,
         this.emitter.channel,
       );
-      await this.emitter.pool.query(
-        `NOTIFY "${this.emitter.channel}", '${payload}'`,
-      );
+      await this.emitter.pool.query("SELECT pg_notify($1, $2)", [
+        this.emitter.channel,
+        payload,
+      ]);
     } catch (err) {
       // @ts-ignore
       this.emit("error", err);
@@ -407,9 +408,10 @@ export class BroadcastOperator<
       type: document.type,
       attachmentId,
     });
-    this.emitter.pool.query(
-      `NOTIFY "${this.emitter.channel}", '${headerPayload}'`,
-    );
+    await this.emitter.pool.query("SELECT pg_notify($1, $2)", [
+      this.emitter.channel,
+      headerPayload,
+    ]);
   }
 
   /**
