sql injection?

[lastmeta]

I wasn't able to find, in the docs, anything about sql injection or if it's guarded against or handled by serverpod.

[vlidholt]

All strings (or other types) are escaped before being sent to the database, so there is no risk of sql injection. Documentation should probably cover this.

[lastmeta]

I thought more about this.

Custom queries are still dangerous though, right?

String table = 'users; DROP users';
final oops = await session.db.query('select * from $table;');

so I noticed the session.db.query function doesn't allow you to supply params:

Future<List<List<dynamic>>> query(
  String query, {
  int? timeoutInSeconds,
  Transaction? transaction,
})

I expected that it would take a list of params and simply pass them onto the database so the database can avoid 'executing' the params like it does the sql query.

We're using serverpod with a pretty intricate database schema, so we use custom queries a lot in order to make efficient queries rather than hitting the database constantly.

[vlidholt]

You are right, we should provide the option to provide parameters for this reason.