Revisit prisma.$queryRaw("...") vs. prisma.$queryRaw template literal
See original GitHub issueProblem
Right now it’s really easy to write a raw query that’s susceptible to SQL injections
// Raw query. Susceptible to SQL injections!
prisma.$queryRaw(`SELECT \* FROM User WHERE email = ${email}`);
// Prepared query. Not susceptible to SQL injections.
prisma.$queryRaw`SELECT \* FROM User WHERE email = ${email}`;
The difference is in the (
and )
. This is far too subtle and there’s no warning about which is which.
Suggested solution
- Investigate: Can we differentiate between
prisma.$queryRaw("...")
and the prisma.$queryRaw template literal?
If so,
-
Rename
prisma.$queryRaw("...")
to something else. Perhaps$queryDangerouslyRaw
.I think there are since there are places where you can’t use a prepared statement (e.g. CREATE TABLE “${table}”). If so, I don’t think we want to disallow the capability entirely.
-
Consider writing a codemod for
npx @prisma/codemods
to rename function calls (not template literals) to the new method
If not,
- Consider other alternatives for clearly separating these two behaviors
Other Ideas
- Maybe it’s possible for our VS Code extension to detect it and return a warning.
- Or maybe it’s possible at runtime to detect that it’s used the wrong way and throw an error?
Issue Analytics
- State:
- Created 2 years ago
- Reactions:4
- Comments:6 (6 by maintainers)
Top Results From Across the Web
Raw database access (Reference) - Prisma
For relational databases, Prisma Client exposes four methods that allow you to send raw queries. You can use: $queryRaw to return actual records...
Read more >Building a SQL Query from Variables with prisma.$queryRaw
Using prisma.$queryRaw, I was able to write a basic query that returned the data I needed. However, I also needed the query to...
Read more >Prisma queryRaw throws error when using template string ...
The $queryRawUnsafe method allows you to pass a raw string (or template string) to the database. But! By using this method with user...
Read more >Prisma 2.30.0 Release - GitClear
Today, we are excited to share the 2.30.0 stable release. Help us spread the word about Prisma by starring the repo or tweeting...
Read more >Prisma $queryRaw with variable length parameter list
The sql-template-tag library which I think is used by prisma, has a way of supporting this so after installing and importing it, I...
Read more >Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start FreeTop Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
Top GitHub Comments
The design of this change is the following:
Narrowed
$queryRaw
(breaking change)$queryRaw
now only supports a template literal.Added
$queryRawUnsafe
$queryRawUnsafe
is a new function that can be a string or template string.prisma.$queryRawUnsafe(query, args...)
.prisma.$queryRawUnsafe("create table ${table}").
prisma.$queryRawUnsafe("select * from users where email = $1", "alice@prisma.io")
. This is mostly to make the upgrade path easier.$queryRaw
to$queryRawUnsafe
codemodWe plan to add a codemod to https://github.com/prisma/codemods that will turn all
$queryRaw
functions into$queryRawUnsafe
functions. It will ignore $queryRaw tagged templates, since those work as is.Yes, the last call will work while the first one will fail.