Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
We should highlight that using prisma.raw() with parameters is not secure and recommend using prisma.raw``
See original GitHub issueProblem
Users are using prisma.raw() like
const data = await prisma.raw(
`SELECT * FROM "ProviderItemAttribute" WHERE "provider_item" = ${root.id} AND "user" = ${auth.user.id} limit 1;`,
);
This example is using prisma.raw() the pure text version so there is no security around parameters.
Only raw`` is secure because it’s using https://github.com/blakeembrey/sql-template-tag
Solution
In this case it would be recommended to do
const data = await prisma.raw`
SELECT * FROM "ProviderItemAttribute" WHERE "provider_item" = ${root.id} AND "user" = ${auth.user.id} limit 1;
`;
This should be highlighted in the docs (and examples?)
We also can think about how to warn users that are using prisma.raw() or even disable it under a flag?
Note prisma.raw`` parameters do not work as of today with PostgreSQL see https://github.com/prisma/prisma-client-js/issues/595
Issue Analytics
- State:
- Created 3 years ago
- Reactions:3
- Comments:13 (10 by maintainers)
Top Results From Across the Web
Top Related Medium Post
Top Related StackOverflow Question
Troubleshoot Live Code
Top Related Reddit Thread
Top Related Hackernoon Post
Top Related Tweet
Top Related Dev.to Post
Top Related Hashnode Post
IMO, this is not just a docs issue – highlighting it in the docs is NOT enough. In fact, the current docs are long outdated, which shows how many users actually read them before using a feature. It’s not enough.
@alexvilchis Can you please open a new issue with a reproduction for that? That should not happen