-
Notifications
You must be signed in to change notification settings - Fork 742
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
We should highlight that using prisma.raw() with parameters is not secure and recommend using prisma.raw`` #449
Comments
@Jolg42 Thanks for posting this issue. I'm trying to do a I'm wondering what you'd recommend for fixing this, as my
Thank you so much for any advice. |
Currently its very hard because the sql tag is not exported and there is no way to send params with the function (using the |
@Sytten Thank you. I subscribed to that issue. |
Adding variables with prisma.raw`` is not working either on MySQL. |
@AlexVilchis Can you please open a new issue with a reproduction for that? That should not happen |
I still have concerns that it's way too easy to accidentally use parentheses when you actually don't want to. Would it be possible to maybe introduce a second method which just allows template literal inputs (e.g. |
IMO, this is not just a docs issue – highlighting it in the docs is NOT enough. In fact, the current docs are long outdated, which shows how many users actually read them before using a feature. It's not enough. |
I just realised that when you let autocompletion do its job, it will default to the parentheses method, which means no escaping will be done. That's very dangerous |
Then please open an issue in the appropriate place instead of talking to yourself in the docs repo @luca :D |
Could we just transfer it back to prisma/prisma? You moved it here in the first place. edit: although @Jolg42's original issue was not really clear that it's not just a docs issue:
I created a new issue to clarify the concerns: prisma/prisma-client-js#727 |
I moved it here as it was tagged as devrel + docs (I assume, that is why things are moved here), and thus belongs here. |
Problem
Users are using
prisma.raw()
likeThis example is using
prisma.raw()
the pure text version so there is no security around parameters.Only raw`` is secure because it's using https://github.com/blakeembrey/sql-template-tag
Solution
In this case it would be recommended to do
This should be highlighted in the docs (and examples?)
We also can think about how to warn users that are using
prisma.raw()
or even disable it under a flag?Note prisma.raw`` parameters do not work as of today with PostgreSQL see prisma/prisma-client-js#595
The text was updated successfully, but these errors were encountered: