P
Prisma2mo ago
matt

Are Prisma queries parameterized to prevent SQL injections?

I was just reading about parameterized queries today and I was wondering does Prisma use parameterized queries under the hood to prevent SQL injections? I tried searching the docs for info about this, but could only find info about writing raw queries that are parameterized (which is not what I am trying to do)
Solution:
Yes, if you turn logging on you can see the queries, it takes a touch more effort to see the parameter values, but it's doable.
Jump to solution
3 Replies
Solution
Yetzederixx
Yetzederixx2mo ago
Yes, if you turn logging on you can see the queries, it takes a touch more effort to see the parameter values, but it's doable.
matt
mattOP2mo ago
thanks!
Yetzederixx
Yetzederixx2mo ago
const { PrismaClient } = require('@prisma/client');

const { config } = require('../../config');

const db = new PrismaClient({ log: config.prisma.log }); // .$extends(withOptimize());

// This will only fire when log has 'query' sent to it
// so no need to disable in dev/prod
db.$on('query', (e) => {
  /* eslint-disable no-console */
  console.log(`Params: ${e.params}`);
  /* eslint-enable no-console */
});

module.exports = {
  db,
};
const { PrismaClient } = require('@prisma/client');

const { config } = require('../../config');

const db = new PrismaClient({ log: config.prisma.log }); // .$extends(withOptimize());

// This will only fire when log has 'query' sent to it
// so no need to disable in dev/prod
db.$on('query', (e) => {
  /* eslint-disable no-console */
  console.log(`Params: ${e.params}`);
  /* eslint-enable no-console */
});

module.exports = {
  db,
};
This is my local env config 
const devConfig = require('./development');

module.exports = {
    ...devConfig,
    prisma: {
        log: [
            'query',
            'info',
            'warn',
            'error',
        ]
    }
};
const devConfig = require('./development');

module.exports = {
    ...devConfig,
    prisma: {
        log: [
            'query',
            'info',
            'warn',
            'error',
        ]
    }
};
Console output, since I happen to have vs code open heh 
prisma:query SELECT "t1"."companyId", "t1"."adminId" FROM "public"."CompanyAdmin" AS "t1" WHERE "t1"."companyId" = $1
Params: ["03829f3f-d5bd-44ab-b412-51f2e0a59728"]
prisma:query SELECT "t1"."companyId", "t1"."adminId" FROM "public"."CompanyAdmin" AS "t1" WHERE "t1"."companyId" = $1
Params: ["03829f3f-d5bd-44ab-b412-51f2e0a59728"]
Want results from more Discord servers?
Add your server