P
Prisma3mo ago
matt

Are Prisma queries parameterized to prevent SQL injections?

I was just reading about parameterized queries today and I was wondering does Prisma use parameterized queries under the hood to prevent SQL injections? I tried searching the docs for info about this, but could only find info about writing raw queries that are parameterized (which is not what I am trying to do)
Solution:
Yes, if you turn logging on you can see the queries, it takes a touch more effort to see the parameter values, but it's doable.
Jump to solution
3 Replies
Solution
Yetzederixx
Yetzederixx3mo ago
Yes, if you turn logging on you can see the queries, it takes a touch more effort to see the parameter values, but it's doable.
matt
mattOP3mo ago
thanks!
Yetzederixx
Yetzederixx3mo ago
const { PrismaClient } = require('@prisma/client');

const { config } = require('../../config');

const db = new PrismaClient({ log: config.prisma.log }); // .$extends(withOptimize());

// This will only fire when log has 'query' sent to it
// so no need to disable in dev/prod
db.$on('query', (e) => {
/* eslint-disable no-console */
console.log(`Params: ${e.params}`);
/* eslint-enable no-console */
});

module.exports = {
db,
};
const { PrismaClient } = require('@prisma/client');

const { config } = require('../../config');

const db = new PrismaClient({ log: config.prisma.log }); // .$extends(withOptimize());

// This will only fire when log has 'query' sent to it
// so no need to disable in dev/prod
db.$on('query', (e) => {
/* eslint-disable no-console */
console.log(`Params: ${e.params}`);
/* eslint-enable no-console */
});

module.exports = {
db,
};
This is my local env config
const devConfig = require('./development');

module.exports = {
...devConfig,
prisma: {
log: [
'query',
'info',
'warn',
'error',
]
}
};
const devConfig = require('./development');

module.exports = {
...devConfig,
prisma: {
log: [
'query',
'info',
'warn',
'error',
]
}
};
Console output, since I happen to have vs code open heh
prisma:query SELECT "t1"."companyId", "t1"."adminId" FROM "public"."CompanyAdmin" AS "t1" WHERE "t1"."companyId" = $1
Params: ["03829f3f-d5bd-44ab-b412-51f2e0a59728"]
prisma:query SELECT "t1"."companyId", "t1"."adminId" FROM "public"."CompanyAdmin" AS "t1" WHERE "t1"."companyId" = $1
Params: ["03829f3f-d5bd-44ab-b412-51f2e0a59728"]
Want results from more Discord servers?
Add your server