Supabase escaping strings #29527
-
Does Supabase support escaping strings when calling RPC (Remote Procedure Call) functions in PostgreSQL, and if so, what’s the recommended method for ensuring that special characters are handled correctly? |
Beta Was this translation helpful? Give feedback.
Answered by
GaryAustin1
Sep 27, 2024
Replies: 1 comment 2 replies
-
If you are using a Supabase REST client, like supabase-js, you should not need to handle escaping strings in data/parameters. |
Beta Was this translation helpful? Give feedback.
2 replies
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
You can't call direct SQL with HTTP or the REST clients. You can only use direct SQL with the database ports from a server Postgres library. The SQL code you generate there would need to be handled by you and the library you use as far as injection. For instance here is a discussion on a Python library (each will be different) https://stackoverflow.com/questions/45128902/psycopg2-and-sql-injection-security.
If you generate dynamic SQL statement to execute in the Postgres function then you do need to take care, but otherwise no. https://dba.stackexchange.com/questions/49699/sql-injection-in-postgres-functions-vs-prepared-queries