What is the "best" way to sanitize form inputs before inserting into a DB?

Answered

Nile Crocodile posted this in #help-forum

Nile CrocodileOP

2024-12-12T03:26:19.752Z

I am using ShadCN's Form component with react-hook-form and zod to insert some data into my Supabase DB. However, I want to mitigate any SQL injections, cross-site scripting or any other malicious attacks.

Forgot to originally add, I am using drizzle as my orm and not using any supabase libraries directly.

Answered by Alfonsus Ardani

"If you use the PostgREST API(through supabase-js or other supabase client libs), all the inputs to the db are parametrized and the statements are prepared. No risk of a sql injection."

https://github.com/orgs/supabase/discussions/1452

View full answer

7 Replies

Alfonsus Ardani

2024-12-12T03:44:19.312Z

Answer

Nile CrocodileOP

2024-12-12T03:54:33.656Z

🤔 so I am not using supabase-js, I am using drizzle

Looks like they might also guard against it as well https://github.com/drizzle-team/drizzle-orm/discussions/446

Alfonsus Ardani

2024-12-12T03:59:44.123Z

yess, modern libraries usually already sanitize the inputs to prevent common sql injections, and XSSs.

if its just storing data then ure fine. If you are using the data to perform conditional behaviors that defines the flow of a program like for example, searchParams, params, or cookies, then yeah you need to validate it. (they are usually already sanitized, but not validated in accordance to your business application logic)

Nile CrocodileOP

2024-12-12T04:00:59.472Z

Awesome! I haven't really had to deal with forms, but I am working on a public form where people can upload college football players that are entering the transfer portal. But the more I think about it... I might just make this form private for my admins to use only 😅

Just mainly using it for submitting college football players to a database that I can then display on my website