vlidholt
commented
1 year ago All strings (or other types) are escaped before being sent to the database, so there is no risk of sql injection. Documentation should probably cover this.
Open lastmeta opened 1 year ago
vlidholt
commented
1 year ago All strings (or other types) are escaped before being sent to the database, so there is no risk of sql injection. Documentation should probably cover this.
lastmeta
commented
1 year ago I thought more about this.
Custom queries are still dangerous though, right?
String table = 'users; DROP users';
final oops = await session.db.query('select * from $table;');so I noticed the session.db.query function doesn't allow you to supply params:
Future<List<List<dynamic>>> query(
String query, {
int? timeoutInSeconds,
Transaction? transaction,
})I expected that it would take a list of params and simply pass them onto the database so the database can avoid 'executing' the params like it does the sql query.
We're using serverpod with a pretty intricate database schema, so we use custom queries a lot in order to make efficient queries rather than hitting the database constantly.
vlidholt
commented
1 year ago You are right, we should provide the option to provide parameters for this reason.
I wasn't able to find, in the docs, anything about sql injection or if it's guarded against or handled by serverpod.