Move $queryRaw()
to $dangerouslyQueryRaw()
#7095
Labels
kind/improvement
An improvement to existing feature and code.
team/client
Issue for team Client.
topic: raw
$queryRaw(Unsafe) and $executeRaw(Unsafe): https://www.prisma.io/docs/concepts/components/prisma-cli
topic: security
Problem
It can be confusing for newer developers that these two are not the same:
The same is true for
$executeRaw
. This is quite a dangerous mistake to make and so these functions should not be so close together, under the same name.Suggested solution
Keep the tagged template literal and move
$queryRaw()
andexecuteRaw()
to$dangerouslyQueryRaw()
and$dangerouslyExecuteRaw()
(as React has done withdangerouslySetInnerHTML
).Alternatives
Another thing worth considering is to remove the tagged template literal
queryRaw
because the "raw" already implies it is unsanitized. The sanitized tagged template literal could perhaps be moved undersql
instead. The truly raw one could stay underqueryRaw()
or move to$dangerouslyQueryRaw()
.Sidenotes
I know that
queryRaw()
is just the implementation of the tagged template literal, but it could still be moved todangerouslyQueryRaw()
and that could be the one recommended in the docs. The default implementation could also just return an error if used without any interpolation (although this would prevent people from using it even if they didn't have values to be sanitized).The text was updated successfully, but these errors were encountered: