Supabase escaping strings

[sadar]

Does Supabase support escaping strings when calling RPC (Remote Procedure Call) functions in PostgreSQL, and if so, what’s the recommended method for ensuring that special characters are handled correctly?

[GaryAustin1]

If you are using a Supabase REST client, like supabase-js, you should not need to handle escaping strings in data/parameters.

[sadar]

Are there potential issues with using direct SQL queries instead of Supabase client libraries for calling Postgres functions, particularly regarding string escaping and SQL injection vulnerabilities?

[GaryAustin1]

You can't call direct SQL with HTTP or the REST clients. You can only use direct SQL with the database ports from a server Postgres library. The SQL code you generate there would need to be handled by you and the library you use as far as injection. For instance here is a discussion on a Python library (each will be different) https://stackoverflow.com/questions/45128902/psycopg2-and-sql-injection-security.

If you generate dynamic SQL statement to execute in the Postgres function then you do need to take care, but otherwise no. https://dba.stackexchange.com/questions/49699/sql-injection-in-postgres-functions-vs-prepared-queries