From 523bbd137771f28c54a52d48bad9497b6a87f026 Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Thu, 8 Jan 2026 03:51:09 +0000
Subject: [PATCH] docs: Add comments explaining sql.raw() usage for DDL
 statements

- Explain why parameterized queries cannot be used for ALTER TABLE
- Document that identifiers are validated to prevent SQL injection
- Address code review feedback about sql.raw() usage
- All 52 unit tests still passing

Co-authored-by: johndoe6345789 <224850594+johndoe6345789@users.noreply.github.com>
---
 src/app/api/admin/constraints/route.ts | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/src/app/api/admin/constraints/route.ts b/src/app/api/admin/constraints/route.ts
index abfb125..6a6d654 100644
--- a/src/app/api/admin/constraints/route.ts
+++ b/src/app/api/admin/constraints/route.ts
@@ -175,6 +175,11 @@ export async function POST(request: Request) {
       );
     }
 
+    // NOTE: We must use sql.raw() for DDL statements (ALTER TABLE) because PostgreSQL
+    // does not support binding identifiers (table names, column names, constraint names)
+    // as parameters. The identifiers are validated with isValidIdentifier() which ensures
+    // they only contain safe characters (letters, numbers, underscores) and match
+    // PostgreSQL naming conventions, preventing SQL injection.
     await db.execute(sql.raw(alterQuery));
 
     return NextResponse.json({
@@ -227,6 +232,9 @@ export async function DELETE(request: Request) {
       );
     }
 
+    // NOTE: We must use sql.raw() for DDL statements (ALTER TABLE) because PostgreSQL
+    // does not support binding identifiers (table names, constraint names) as parameters.
+    // All identifiers are validated with isValidIdentifier() to prevent SQL injection.
     const alterQuery = `ALTER TABLE "${tableName}" DROP CONSTRAINT "${constraintName}"`;
     await db.execute(sql.raw(alterQuery));