New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Revisit prisma.$queryRaw("...") vs. prisma.$queryRaw template literal #7142
Comments
...
) vs. prisma.$queryRaw...
...
) vs. prisma.$queryRaw template
...
) vs. prisma.$queryRaw template...
) vs. prisma.$queryRaw template literal
...
) vs. prisma.$queryRaw template literal...\
) vs. prisma.$queryRaw template literal
...\
) vs. prisma.$queryRaw template literal...
) vs. prisma.$queryRaw template literal
...
) vs. prisma.$queryRaw template literal
Related: #7095 |
Internal Note: we consider this breaking change before the next major release. |
The design of this change is the following: Narrowed
|
Discussed it with @millsp on slack, but basically I got into the code of a pretty large customer that uses prisma and I found a lot of sql injections due to improper use of prisma raw queries. So I support that 100%. Basically I want the following to fail: let query = `SELECT * FROM table`
if (id) {
query += `WHERE id = ${id}`
}
prisma.$queryRaw(query) But this should still work: let query = sql`SELECT * FROM table`
if (id) {
query = sql`${query} WHERE id = ${id}`
}
prisma.$queryRaw(query) |
Yes, the last call will work while the first one will fail. |
Closing since we've learned this will be possible. Remaining tasks are tracked in: #8628 |
Problem
Right now it's really easy to write a raw query that's susceptible to SQL injections
The difference is in the
(
and)
. This is far too subtle and there's no warning about which is which.Suggested solution
prisma.$queryRaw("...")
and the prisma.$queryRaw template literal?If so,
Rename
prisma.$queryRaw("...")
to something else. Perhaps$queryDangerouslyRaw
.I think there are since there are places where you can't use a prepared statement (e.g. CREATE TABLE "${table}"). If so, I don't think we want to disallow the capability entirely.
Consider writing a codemod for
npx @prisma/codemods
to rename function calls (not template literals) to the new methodIf not,
Other Ideas
The text was updated successfully, but these errors were encountered: