Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

queryRaw doesn't support dynamic tables names

See original GitHub issue

Bug description

const values = await prisma.$queryRaw`SELECT type FROM ${collection};`; fails with the error

Message: `db error: ERROR: syntax error at or near "$1"

However, const values = await prisma.$queryRawUnsafe(`SELECT type FROM ${collection};`); works fine.

Does anyone know why this occurs? I need to be able to be use the safe version to prevent SQL injection in my app 😕

How to reproduce

Raw query a postgres database with a dynamic table name.

Expected behavior

No response

Prisma information

generator client {
  provider = "prisma-client-js"
}

datasource db {
  provider = "postgresql"
  url      = env("DATABASE_URL")
}

model spacebudz {
  type              String?
}

Environment & setup

OS: Mac OS
Database: PostgreSQL
Node v16.10.10

Prisma Version

3.2.1

Issue Analytics

State:
Created 2 years ago
Reactions:4
Comments:9 (2 by maintainers)

Top GitHub Comments

8reactions

MilesConncommented, Jan 24, 2022

I actually found a solution to this that’s slightly safer imo than $queryRawUnsafe which is you can wrap the table name with const tableArg = Prisma.raw(tableName) and then use tableArg. This makes things slightly safer as its easier to validate the tableName than the entire string.

6reactions

dydentcommented, Feb 6, 2022

@MilesConn

I actually found a solution to this that’s slightly safer imo than $queryRawUnsafe which is you can wrap the table name with const tableArg = Prisma.raw(tableName) and then use tableArg. This makes things slightly safer as its easier to validate the tableName than the entire string.

This is a great and quick fix that actually worked for me:

Just wrap your inserted variable with Prisma.raw() and it should work.

In this context: const values = await prisma.$queryRaw SELECT type FROM ${Prisma.raw(collection)}; should do the job!

Top Results From Across the Web

Raw database access (Reference)

Prisma Client supports the option of sending raw queries to your database. ... $queryRaw does not support dynamic table names in PostgreSQL databases....

Prisma queryRaw throws error when using template string ...

I'm trying to write a service that takes the table name as a parameter, and the service itself calls queryRaw to run a...

Prisma $queryRaw with variable length parameter list

I need to use $queryRaw for a particular query due to use of unsupported tsvector type in the underlying table. In this query,...

Performing raw SQL queries

By default, Django figures out a database table name by joining the model's “app label” ... Dictionary params are not supported with the...

8 Coding Dynamic SQL Statements

You should use dynamic SQL in cases where static SQL does not support the operation ... You might let a user specify the...