git/postgres
1
0
Fork 0
mirror of https://github.com/johndoe6345789/postgres.git synced 2026-04-24 13:55:00 +00:00
Code Issues Packages Projects Releases Wiki Activity

docs: Add comments explaining sql.raw() usage for DDL statements

Browse Source 
- Explain why parameterized queries cannot be used for ALTER TABLE
- Document that identifiers are validated to prevent SQL injection
- Address code review feedback about sql.raw() usage
- All 52 unit tests still passing

Co-authored-by: johndoe6345789 <224850594+johndoe6345789@users.noreply.github.com>
This commit is contained in:
copilot-swe-agent[bot]
2026-01-08 03:51:09 +00:00
parent 29f7ba86a9
commit 523bbd1377
1 changed files with 8 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
src/app/api/admin/constraints/route.ts
View File

@@ -175,6 +175,11 @@ export async function POST(request: Request) {
);
}
// NOTE: We must use sql.raw() for DDL statements (ALTER TABLE) because PostgreSQL
// does not support binding identifiers (table names, column names, constraint names)
// as parameters. The identifiers are validated with isValidIdentifier() which ensures
// they only contain safe characters (letters, numbers, underscores) and match
// PostgreSQL naming conventions, preventing SQL injection.
await db.execute(sql.raw(alterQuery));
return NextResponse.json({
@@ -227,6 +232,9 @@ export async function DELETE(request: Request) {
);
}
// NOTE: We must use sql.raw() for DDL statements (ALTER TABLE) because PostgreSQL
// does not support binding identifiers (table names, constraint names) as parameters.
// All identifiers are validated with isValidIdentifier() to prevent SQL injection.
const alterQuery = `ALTER TABLE "${tableName}" DROP CONSTRAINT "${constraintName}"`;
await db.execute(sql.raw(alterQuery));