preventing sql injections

[I-m-good-man]

I've read the documentation, but I still don't understand if your library provides protection against sql injections. If there is such a possibility, which method should I use? In which cases protection against sql injections is not implemented

[isoos]

@I-m-good-man: SQL injection happens when you are building a query string that includes the parameters inlined. If you want to do that, nobody can prevent it, however, it you are using the query method with the parameters, these values will not be inlined, instead sent as a separate part of the query. It prevents injection attacks, and also optimizes the query execution, as it spares the server a bit of time with a more efficient protocol.

There are multiple ways to specify parameter locations inside the query, you can see examples using @name or $2, but also ? could be used (each with different Sql initializer). The parameters object should be a Map for named parameters or List for indexed one. The type safety and specificity can be enhanced by using TypedValue instead of raw Dart types. (it will use the more efficient binary encoding this way).

[I-m-good-man]

If you want to do that, nobody can prevent it, however, it you are using the query method with the parameters, these values will not be inlined, instead sent as a separate part of the query.

in this case, what does a query to a database in sql look like? how can parameter values be passed separately from the query string?

[isoos]

A few examples:

This query has a single positional parameter:
https://github.com/isoos/postgresql-dart/blob/master/example/example.dart#L45-L48

This query has a single named parameter:
https://github.com/isoos/postgresql-dart/blob/master/example/example.dart#L52-L55

Multiple named parameters:
https://github.com/isoos/postgresql-dart/blob/master/test/query_test.dart#L103-L156

Internally every such parameter gets converted to a query string with $1, $2, ... as parameter placeholders, and the values will be converted to a list, having the appropriate value in the given position. The binary protocol then sends the query and the parameter values (encoded efficiently) separately.

[I-m-good-man]

Internally every such parameter gets converted to a query string with $1, $2, ... as parameter placeholders

do I understand correctly, when the Connection.execute or Connection.prepared method is called, does the library under the hood create a prepared statement for these queries?
in the case of Connection.execute, this prepared statement is called immediately and released, and in the case of Connection.prepare, the prepared statement exists until we release it ourselves using Statement.dispose or until we close the connection

[isoos]

That is correct.

[I-m-good-man]

Super, thank you so much for helping me figure it out!