Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Prisma findUnique is SQL injection safe?

Tags:

stripe-payments

prisma

I've created a Nuxt3 project whereby I am loading products from Stripe into a product shelf, it pulls all the basic information like the name, and the price, and description, but I have also pulled the product ID across.

On checkout I am getting stripe to create a new checkout session, before the session starts I'm validating by comparing store product ID's against the ids that have been brought in by the client.

export async function validateProducts(client_cart) {
   var valid = false;

   for (let index = 0; index < client_cart.length; index++) {
    // needs validation
        if (typeof(client_cart[index].id) != "string") {
            break;
        }

        //getProduct  - uses findUnique
        const product = await getProduct(client_cart[index].id);
        console.log(product)

        ... further validation occurs here that sets valid to true if it gets through all the 
             tests without breaking the loop
   return valid;
}

getProduct() will take the id and use findUnique() from prisma function to pull the data into the server to validate/check for stock/hold.

export async function getProduct (id: string) {
    return await prisma.product.findUnique({
      where: {
        id: id,
      },
    })
  }

This basically pulls directly from the client the cart product object, the id is then passed into the where clause of the findUnique() functionality. Would this be vulnerable to SQL injection or does Prisma 'cover' (for lack of a better term) those vulnerabilities?

Looking through the prisma documentation:

"ORMs help reduce the amount of code. They save you from writing repetitive SQL statements for common CRUD (Create Read Update Delete) operations and escaping user input to prevent vulnerabilities such as SQL injections."

Regardless, my two questions are:

  • It is bad to expose the productID from stripe to the client?
  • Would the prisma function of "findUnique()" be vulnerable to SQL injection?
like image 669
Caleb Havea Avatar asked Oct 21 '25 20:10

Caleb Havea

1 Answers

Unless you are using $queryRawUnsafe or $executeRawUnsafe, you should be fine. Prisma will escape all parameters for you if necessary. Cf. https://www.prisma.io/docs/concepts/components/prisma-client/raw-database-access#sql-injection

like image 71
some-user Avatar answered Oct 24 '25 11:10

some-user

Sign in to Comment

Related questions

How to handle payment success in stripe?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!