From c28fdde73ac7321cbb94c4cf5c96b5ed84bbc95d Mon Sep 17 00:00:00 2001
From: kellertk <kellertk@amazon.com>
Date: Fri, 22 Aug 2025 10:05:33 -0700
Subject: [PATCH 1/2] chore: use paramaterized sql statements

---
 .../src/handlers/post-items-handler.ts                | 11 +++++++++--
 .../src/handlers/put-items-archive-handler.ts         |  9 +++++++--
 .../src/statement-commands/command-helper.ts          |  5 +++--
 .../tests/command-helper.unit.test.ts                 | 10 ++++++++++
 4 files changed, 29 insertions(+), 6 deletions(-)

diff --git a/javascriptv3/example_code/cross-services/aurora-serverless-app/src/handlers/post-items-handler.ts b/javascriptv3/example_code/cross-services/aurora-serverless-app/src/handlers/post-items-handler.ts
index c7cf4bed708..7a406b975ab 100644
--- a/javascriptv3/example_code/cross-services/aurora-serverless-app/src/handlers/post-items-handler.ts
+++ b/javascriptv3/example_code/cross-services/aurora-serverless-app/src/handlers/post-items-handler.ts
@@ -11,10 +11,17 @@ const postItemsHandler: Handler = {
     ({ rdsDataClient }) =>
     async (req, res) => {
       const { description, guide, status, name }: Item = req.body;
+      const values = {
+        description: { StringValue: description },
+        guide: { StringValue: guide },
+        status: { StringValue: status },
+        name: { StringValue: name },
+      };
       const command = buildStatementCommand(
-        `insert into items (iditem, description, guide, status, username, archived)\nvalues ("${uuidv4()}", "${description}", "${guide}", "${status}", "${name}", 0)`,
+        `insert into items (iditem, description, guide, status, username, archived)
+         values ("${uuidv4()}", ":description", ":guide", ":status", ":name", 0)`,
+        values
       );
-
       await rdsDataClient.send(command);
       res.status(200).send({});
     },
diff --git a/javascriptv3/example_code/cross-services/aurora-serverless-app/src/handlers/put-items-archive-handler.ts b/javascriptv3/example_code/cross-services/aurora-serverless-app/src/handlers/put-items-archive-handler.ts
index e40a935efbc..321069c0d35 100644
--- a/javascriptv3/example_code/cross-services/aurora-serverless-app/src/handlers/put-items-archive-handler.ts
+++ b/javascriptv3/example_code/cross-services/aurora-serverless-app/src/handlers/put-items-archive-handler.ts
@@ -9,9 +9,14 @@ const putItemsArchiveHandler: Handler = {
     ({ rdsDataClient }) =>
     async (req, res) => {
       const { itemId } = req.params;
-
+      const values = {
+        itemId: { StringValue: itemId },
+      };
       const command = buildStatementCommand(
-        `update items\nset archived = 1\nwhere iditem = "${itemId}"`,
+        `update items
+         set archived = 1
+         where iditem = ":itemId"`,
+        values
       );
 
       await rdsDataClient.send(command);
diff --git a/javascriptv3/example_code/cross-services/aurora-serverless-app/src/statement-commands/command-helper.ts b/javascriptv3/example_code/cross-services/aurora-serverless-app/src/statement-commands/command-helper.ts
index 6ae571f0214..7469fdffe43 100644
--- a/javascriptv3/example_code/cross-services/aurora-serverless-app/src/statement-commands/command-helper.ts
+++ b/javascriptv3/example_code/cross-services/aurora-serverless-app/src/statement-commands/command-helper.ts
@@ -1,14 +1,15 @@
 // Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 import { ExecuteStatementCommand } from "@aws-sdk/client-rds-data";
-import env from "../../env.json" assert { type: "json" };
+import env from "../../env.json" with { type: "json" };
 
-const buildStatementCommand = (sql: string) => {
+const buildStatementCommand = (sql: string, parameters?: { [key: string]: { [key: string]: unknown}}) => {
   return new ExecuteStatementCommand({
     resourceArn: env.CLUSTER_ARN,
     secretArn: env.SECRET_ARN,
     database: env.DB_NAME,
     sql,
+    [parameters ? "parameters" : ""]: [parameters]
   });
 };
 
diff --git a/javascriptv3/example_code/cross-services/aurora-serverless-app/tests/command-helper.unit.test.ts b/javascriptv3/example_code/cross-services/aurora-serverless-app/tests/command-helper.unit.test.ts
index 61b6c200df4..4096320d9ae 100644
--- a/javascriptv3/example_code/cross-services/aurora-serverless-app/tests/command-helper.unit.test.ts
+++ b/javascriptv3/example_code/cross-services/aurora-serverless-app/tests/command-helper.unit.test.ts
@@ -12,4 +12,14 @@ describe("command-helper", () => {
       expect(command.input.sql).toBe(sql);
     });
   });
+    it("should create an ExecuteStatementCommand with the provided SQL statement and parameters", () => {
+      const sql = "select * from some_table where id = :id";
+      const parameters = {
+        id: { StringValue: "123" },
+      };
+      const command = buildStatementCommand(sql, parameters);
+      expect(command.constructor.name).toBe("ExecuteStatementCommand");
+      expect(command.input.sql).toBe(sql);
+      expect(command.input.parameters).toEqual([parameters]);
+    });
 });

From 8f2bced21a4032aa73cd190003b88b932c0e9358 Mon Sep 17 00:00:00 2001
From: kellertk <kellertk@amazon.com>
Date: Wed, 27 Aug 2025 16:06:18 -0700
Subject: [PATCH 2/2] chore: run linter

---
 .../src/handlers/post-items-handler.ts        |  2 +-
 .../src/handlers/put-items-archive-handler.ts |  2 +-
 .../src/statement-commands/command-helper.ts  |  7 +++++--
 .../tests/command-helper.unit.test.ts         | 20 +++++++++----------
 4 files changed, 17 insertions(+), 14 deletions(-)

diff --git a/javascriptv3/example_code/cross-services/aurora-serverless-app/src/handlers/post-items-handler.ts b/javascriptv3/example_code/cross-services/aurora-serverless-app/src/handlers/post-items-handler.ts
index 7a406b975ab..6a84fb5fc0c 100644
--- a/javascriptv3/example_code/cross-services/aurora-serverless-app/src/handlers/post-items-handler.ts
+++ b/javascriptv3/example_code/cross-services/aurora-serverless-app/src/handlers/post-items-handler.ts
@@ -20,7 +20,7 @@ const postItemsHandler: Handler = {
       const command = buildStatementCommand(
         `insert into items (iditem, description, guide, status, username, archived)
          values ("${uuidv4()}", ":description", ":guide", ":status", ":name", 0)`,
-        values
+        values,
       );
       await rdsDataClient.send(command);
       res.status(200).send({});
diff --git a/javascriptv3/example_code/cross-services/aurora-serverless-app/src/handlers/put-items-archive-handler.ts b/javascriptv3/example_code/cross-services/aurora-serverless-app/src/handlers/put-items-archive-handler.ts
index 321069c0d35..2a0b6b5cea1 100644
--- a/javascriptv3/example_code/cross-services/aurora-serverless-app/src/handlers/put-items-archive-handler.ts
+++ b/javascriptv3/example_code/cross-services/aurora-serverless-app/src/handlers/put-items-archive-handler.ts
@@ -16,7 +16,7 @@ const putItemsArchiveHandler: Handler = {
         `update items
          set archived = 1
          where iditem = ":itemId"`,
-        values
+        values,
       );
 
       await rdsDataClient.send(command);
diff --git a/javascriptv3/example_code/cross-services/aurora-serverless-app/src/statement-commands/command-helper.ts b/javascriptv3/example_code/cross-services/aurora-serverless-app/src/statement-commands/command-helper.ts
index 7469fdffe43..dfd1d13a889 100644
--- a/javascriptv3/example_code/cross-services/aurora-serverless-app/src/statement-commands/command-helper.ts
+++ b/javascriptv3/example_code/cross-services/aurora-serverless-app/src/statement-commands/command-helper.ts
@@ -3,13 +3,16 @@
 import { ExecuteStatementCommand } from "@aws-sdk/client-rds-data";
 import env from "../../env.json" with { type: "json" };
 
-const buildStatementCommand = (sql: string, parameters?: { [key: string]: { [key: string]: unknown}}) => {
+const buildStatementCommand = (
+  sql: string,
+  parameters?: { [key: string]: { [key: string]: unknown } },
+) => {
   return new ExecuteStatementCommand({
     resourceArn: env.CLUSTER_ARN,
     secretArn: env.SECRET_ARN,
     database: env.DB_NAME,
     sql,
-    [parameters ? "parameters" : ""]: [parameters]
+    [parameters ? "parameters" : ""]: [parameters],
   });
 };
 
diff --git a/javascriptv3/example_code/cross-services/aurora-serverless-app/tests/command-helper.unit.test.ts b/javascriptv3/example_code/cross-services/aurora-serverless-app/tests/command-helper.unit.test.ts
index 4096320d9ae..84e45963eb3 100644
--- a/javascriptv3/example_code/cross-services/aurora-serverless-app/tests/command-helper.unit.test.ts
+++ b/javascriptv3/example_code/cross-services/aurora-serverless-app/tests/command-helper.unit.test.ts
@@ -12,14 +12,14 @@ describe("command-helper", () => {
       expect(command.input.sql).toBe(sql);
     });
   });
-    it("should create an ExecuteStatementCommand with the provided SQL statement and parameters", () => {
-      const sql = "select * from some_table where id = :id";
-      const parameters = {
-        id: { StringValue: "123" },
-      };
-      const command = buildStatementCommand(sql, parameters);
-      expect(command.constructor.name).toBe("ExecuteStatementCommand");
-      expect(command.input.sql).toBe(sql);
-      expect(command.input.parameters).toEqual([parameters]);
-    });
+  it("should create an ExecuteStatementCommand with the provided SQL statement and parameters", () => {
+    const sql = "select * from some_table where id = :id";
+    const parameters = {
+      id: { StringValue: "123" },
+    };
+    const command = buildStatementCommand(sql, parameters);
+    expect(command.constructor.name).toBe("ExecuteStatementCommand");
+    expect(command.input.sql).toBe(sql);
+    expect(command.input.parameters).toEqual([parameters]);
+  });
 });