Missing documentation for QueryParams and custom query
ynnob opened this issue · 2 comments
Hey,
QueryParams
i can't get the query with QueryParams to work and your documentation dont metnions them.
Also i guess they offer some risk for SQL-Injections?
Here is an example on what i expected to work:
// Check if user already exists
final matchingUser = (await db.users.queryUsers(const QueryParams(
where: 'email="test@test.de"',
)))
Error: (Column »test@test.de« doesn't exist)
PostgreSQLSeverity.unknown 42703: Spalte »test@test.de« existiert nicht
_PostgreSQLExecutionContextMixin._query package:postgres/src/connection.dart:513
_PostgreSQLExecutionContextMixin.query package:postgres/src/connection.dart:474
Database.query package:stormberry/…/core/database.dart:94
custom query
I think it would be awesome if you would add a minimalistic example to the documentation whre you explain about Queries (https://pub.dev/packages/stormberry#queries)
Thanks!
I found the error for my QueryParams request. single quotes has to be used like -> where: 'email='test@test.de'',
But still i think this is a risky way of reading the data. Isnt SQL-Injection a thing here that could be avoided by using comand params to replace "?" ?
@ynnob I added a values
property to QueryParams
to set custom query parameters.
You can now do:
// Check if user already exists
final matchingUser = (await db.users.queryUsers(const QueryParams(
where: 'email=@email',
values: {'email': 'test@test.de'},
)));
Documentation is another big topic that I have to work. I'm happy to accept PRs if you want to help.