nr7751
Explore posts from serversPPrisma
•Created by nr7751 on 11/10/2024 in #help-and-questions
Security concern
Hello everyone,
I'm using Prisma ORM in my current project.
1. I have many dynamic GET queries, where the query specifies which table/column will serve as the operative field for filtering and sorting results.
2. This, in turn, means I should first validate the table/column names specified in the query against the database schema.
3. Because there’s no native Prisma ORM method to retrieve all tables and column names, I created a function that introspects the database and generates a matrix representing the schema. This matrix is created and exported when the server starts, so it can be imported to validate queries with dynamic table/column names.
4. With this approach, there are no additional calls to the database. The process is straightforward and efficient since it operates against a static data structure.
Questions:
A) Is this a good approach, or are there simpler, better alternatives?
B) Are there any security risks with creating a matrix that represents the entire database structure and making it available to the backend codebase? If so, would these risks outweigh the practical advantages and advise against this approach?
Thanks in advance for your time!
1 replies