Open lastmeta opened 1 year ago
All strings (or other types) are escaped before being sent to the database, so there is no risk of sql injection. Documentation should probably cover this.
I thought more about this.
Custom queries are still dangerous though, right?
String table = 'users; DROP users';
final oops = await session.db.query('select * from $table;');
so I noticed the session.db.query function doesn't allow you to supply params:
Future<List<List<dynamic>>> query(
String query, {
int? timeoutInSeconds,
Transaction? transaction,
})
I expected that it would take a list of params and simply pass them onto the database so the database can avoid 'executing' the params like it does the sql query.
We're using serverpod with a pretty intricate database schema, so we use custom queries a lot in order to make efficient queries rather than hitting the database constantly.
You are right, we should provide the option to provide parameters for this reason.
I wasn't able to find, in the docs, anything about sql injection or if it's guarded against or handled by serverpod.