Missing documentation for QueryParams and custom query

ynnob commented 1 year ago

Hey,

QueryParams i can't get the query with QueryParams to work and your documentation dont metnions them. Also i guess they offer some risk for SQL-Injections?

Here is an example on what i expected to work:

    // Check if user already exists
    final matchingUser = (await db.users.queryUsers(const QueryParams(
      where: 'email="test@test.de"',
    )))

Error: (Column Â»test@test.deÂ« doesn't exist)

PostgreSQLSeverity.unknown 42703: Spalte Â»test@test.deÂ« existiert nicht 
_PostgreSQLExecutionContextMixin._query                  package:postgres/src/connection.dart:513
_PostgreSQLExecutionContextMixin.query                    package:postgres/src/connection.dart:474
Database.query                                                              package:stormberry/…/core/database.dart:94

custom query I think it would be awesome if you would add a minimalistic example to the documentation whre you explain about Queries (https://pub.dev/packages/stormberry#queries)

Thanks!

ynnob commented 1 year ago

I found the error for my QueryParams request. single quotes has to be used like -> where: 'email=\'test@test.de\'', But still i think this is a risky way of reading the data. Isnt SQL-Injection a thing here that could be avoided by using comand params to replace "?" ?

schultek commented 1 year ago

@ynnob I added a values property to QueryParams to set custom query parameters.

You can now do:

// Check if user already exists
final matchingUser = (await db.users.queryUsers(const QueryParams(
  where: 'email=@email',
  values: {'email': 'test@test.de'},
)));

Documentation is another big topic that I have to work. I'm happy to accept PRs if you want to help.

schultek / stormberry

Missing documentation for QueryParams and custom query #36