I've created a Nuxt3 project whereby I am loading products from Stripe into a product shelf, it pulls all the basic information like the name, and the price, and description, but I have also pulled the product ID across.
On checkout I am getting stripe to create a new checkout session, before the session starts I'm validating by comparing store product ID's against the ids that have been brought in by the client.
export async function validateProducts(client_cart) {
var valid = false;
for (let index = 0; index < client_cart.length; index++) {
// needs validation
if (typeof(client_cart[index].id) != "string") {
break;
}
//getProduct - uses findUnique
const product = await getProduct(client_cart[index].id);
console.log(product)
... further validation occurs here that sets valid to true if it gets through all the
tests without breaking the loop
return valid;
}
getProduct() will take the id and use findUnique() from prisma function to pull the data into the server to validate/check for stock/hold.
export async function getProduct (id: string) {
return await prisma.product.findUnique({
where: {
id: id,
},
})
}
This basically pulls directly from the client the cart product object, the id is then passed into the where clause of the findUnique() functionality. Would this be vulnerable to SQL injection or does Prisma 'cover' (for lack of a better term) those vulnerabilities?
Looking through the prisma documentation:
"ORMs help reduce the amount of code. They save you from writing repetitive SQL statements for common CRUD (Create Read Update Delete) operations and escaping user input to prevent vulnerabilities such as SQL injections."
Regardless, my two questions are:
Unless you are using $queryRawUnsafe or $executeRawUnsafe, you should be fine. Prisma will escape all parameters for you if necessary. Cf. https://www.prisma.io/docs/concepts/components/prisma-client/raw-database-access#sql-injection