I think one of the common workaround is to prepare the statement in a JS Query and then use SQL to EXEC the statement returned. Of course, this will allow users to inject SQL if the text1.value allows it or you do not sanitize the input before using it.