Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
Revisit prisma.$queryRaw("...") vs. prisma.$queryRaw template literal
See original GitHub issueProblem
Right now it’s really easy to write a raw query that’s susceptible to SQL injections
// Raw query. Susceptible to SQL injections!
prisma.$queryRaw(`SELECT \* FROM User WHERE email = ${email}`);
// Prepared query. Not susceptible to SQL injections.
prisma.$queryRaw`SELECT \* FROM User WHERE email = ${email}`;
The difference is in the ( and ). This is far too subtle and there’s no warning about which is which.
Suggested solution
- Investigate: Can we differentiate between
prisma.$queryRaw("...")and the prisma.$queryRaw template literal?
If so,
-
Rename
prisma.$queryRaw("...")to something else. Perhaps$queryDangerouslyRaw.I think there are since there are places where you can’t use a prepared statement (e.g. CREATE TABLE “${table}”). If so, I don’t think we want to disallow the capability entirely.
-
Consider writing a codemod for
npx @prisma/codemodsto rename function calls (not template literals) to the new method
If not,
- Consider other alternatives for clearly separating these two behaviors
Other Ideas
- Maybe it’s possible for our VS Code extension to detect it and return a warning.
- Or maybe it’s possible at runtime to detect that it’s used the wrong way and throw an error?
Issue Analytics
- State:
- Created 2 years ago
- Reactions:4
- Comments:6 (6 by maintainers)
Top Results From Across the Web
Top Related Medium Post
Top Related StackOverflow Question
Troubleshoot Live Code
Top Related Reddit Thread
Top Related Hackernoon Post
Top Related Tweet
Top Related Dev.to Post
Top Related Hashnode Post
The design of this change is the following:
Narrowed
$queryRaw(breaking change)$queryRawnow only supports a template literal.Added
$queryRawUnsafe$queryRawUnsafeis a new function that can be a string or template string.prisma.$queryRawUnsafe(query, args...).prisma.$queryRawUnsafe("create table ${table}").prisma.$queryRawUnsafe("select * from users where email = $1", "alice@prisma.io"). This is mostly to make the upgrade path easier.$queryRawto$queryRawUnsafecodemodWe plan to add a codemod to https://github.com/prisma/codemods that will turn all
$queryRawfunctions into$queryRawUnsafefunctions. It will ignore $queryRaw tagged templates, since those work as is.Yes, the last call will work while the first one will fail.