using JS template literals exposes you to SQL injection btw

MMax (@rozenmd)using JS template literals exposes you to SQL injection btw

S

sty•1/4/24, 12:28 PM

Data feed is from a trusted source and clients won't have access to database at all. My plan is to make Durable object coordinate client db queries. I can set a strict filter for allowed queries. I should be safe right?

Original message was deleted

B

Bram•1/4/24, 12:36 PM

hmm, fair point...

I now went for tracking the status in the database and set it to

queud

queud

queud

queud after a successfully publishing the event, then run a background process that can retry in case of failures.

Ssty Data feed is from a trusted source and clients won't have access to database at ...

M

Max (@rozenmd)OP•1/4/24, 12:48 PM

if its just you developing it's probably fine, but i tend to avoid leaving vulns in my code, never know what people will use it for in the future

MMax (@rozenmd)if its just you developing it's probably fine, but i tend to avoid leaving vulns...

S

sty•1/4/24, 12:55 PM

Even if I make db accessible to clients, putting strict logic inside the worker that is bound to the db should be ok right?

For example, if

timeFrom

timeFrom

timeFrom

timeFrom or

timeTo

timeTo

timeTo

timeTo value is not a number, then ignore the client request on the worker side

M

Max (@rozenmd)OP•1/4/24, 1:04 PM

i'm just saying this isn't safe:

const createTable = await env.db.prepare(`
  CREATE TABLE IF NOT EXISTS ${tableName} (
    id INTEGER PRIMARY KEY AUTOINCREMENT,
    blockTs INTEGER,
    value TEXT,
    INDEX idx_blockTs (blockTs)
  )
`).run();

const createTable = await env.db.prepare(`
  CREATE TABLE IF NOT EXISTS ${tableName} (
    id INTEGER PRIMARY KEY AUTOINCREMENT,
    blockTs INTEGER,
    value TEXT,
    INDEX idx_blockTs (blockTs)
  )
`).run();

const createTable = await env.db.prepare(`
  CREATE TABLE IF NOT EXISTS ${tableName} (
    id INTEGER PRIMARY KEY AUTOINCREMENT,
    blockTs INTEGER,
    value TEXT,
    INDEX idx_blockTs (blockTs)
  )
`).run();

const createTable = await env.db.prepare(`
  CREATE TABLE IF NOT EXISTS ${tableName} (
    id INTEGER PRIMARY KEY AUTOINCREMENT,
    blockTs INTEGER,
    value TEXT,
    INDEX idx_blockTs (blockTs)
  )
`).run();

using

.bind()

.bind()

.bind()

.bind() makes it safe:

const createTable = await env.db.prepare(`
  CREATE TABLE IF NOT EXISTS ?1 (
    id INTEGER PRIMARY KEY AUTOINCREMENT,
    blockTs INTEGER,
    value TEXT,
    INDEX idx_blockTs (blockTs)
  )
`).bind(tableName).run();

const createTable = await env.db.prepare(`
  CREATE TABLE IF NOT EXISTS ?1 (
    id INTEGER PRIMARY KEY AUTOINCREMENT,
    blockTs INTEGER,
    value TEXT,
    INDEX idx_blockTs (blockTs)
  )
`).bind(tableName).run();

const createTable = await env.db.prepare(`
  CREATE TABLE IF NOT EXISTS ?1 (
    id INTEGER PRIMARY KEY AUTOINCREMENT,
    blockTs INTEGER,
    value TEXT,
    INDEX idx_blockTs (blockTs)
  )
`).bind(tableName).run();

const createTable = await env.db.prepare(`
  CREATE TABLE IF NOT EXISTS ?1 (
    id INTEGER PRIMARY KEY AUTOINCREMENT,
    blockTs INTEGER,
    value TEXT,
    INDEX idx_blockTs (blockTs)
  )
`).bind(tableName).run();

P

PolBaladas (⨍)•1/4/24, 1:40 PM

Hi guys is datetime supported? or only text/intger/real/blob

K

kian•1/4/24, 1:41 PM

Pretty much those - TEXT/REAL/INTEGERs are supported by the Date & Time functions though.

K

kian•1/4/24, 1:41 PM

https://www.sqlite.org/datatype3.html

P

PolBaladas (⨍)•1/4/24, 1:41 PM

thanks

TTigersWay I do regularly (little bit less than once a day) get these errors: `D1_ERROR: Ne...

V

Vy•1/4/24, 3:36 PM

@TigersWay Retry is definitely recommended but I'd like to understand more about your workload when you see these errors? Are these long-running queries?

S

sty•1/4/24, 7:49 PM

Maximum database size    2 GB (Workers Paid) beta / 500 MB (Free)
Maximum storage per account    50 GB (Workers Paid) beta / 5 GB (Free)

Maximum database size    2 GB (Workers Paid) beta / 500 MB (Free)
Maximum storage per account    50 GB (Workers Paid) beta / 5 GB (Free)

Maximum database size    2 GB (Workers Paid) beta / 500 MB (Free)
Maximum storage per account    50 GB (Workers Paid) beta / 5 GB (Free)

Maximum database size    2 GB (Workers Paid) beta / 500 MB (Free)
Maximum storage per account    50 GB (Workers Paid) beta / 5 GB (Free)

what is the difference between database and storage?

is it maximum 2gb per table in a db?

K

kian•1/4/24, 7:49 PM

Your databases can be a maximum of 2 GB, with all of your databases collectively needing to be under 50 GB (on Paid plans).

K

kian•1/4/24, 7:49 PM

Meaning you could have 25 2 GB databases, 50 1 GB databases, etc

S

sty•1/4/24, 7:51 PM

oof

S

sty•1/4/24, 7:53 PM

is there a way to use d1 api to create new db inside a worker dynamically?

without having to pre-bind in the toml file like this:

[[d1_databases]]
binding = "db" # i.e. available in your Worker on env.DB
database_name = "d1"
database_id = "#####################"

[[d1_databases]]
binding = "db" # i.e. available in your Worker on env.DB
database_name = "d1"
database_id = "#####################"

[[d1_databases]]
binding = "db" # i.e. available in your Worker on env.DB
database_name = "d1"
database_id = "#####################"

[[d1_databases]]
binding = "db" # i.e. available in your Worker on env.DB
database_name = "d1"
database_id = "#####################"

K

kian•1/4/24, 7:53 PM

Not currently.

T

Tudders•1/5/24, 2:22 AM

Hey all - is there a shortcut for a timestamp like now()?

J

Jumping Back•1/5/24, 3:52 AM

I have lots of transactions (stripe) and what not is it worth going with d1 or normal postgres

R

Ravi kiran•1/5/24, 5:24 AM

Hey guys, im trying to create a record having datetimes as fields. The fields are strings but im storing input datetimes as iso-strings. i get a D1 error when trying to get back data with another query. can some one look at my code and tell me how it can be cleared. attaching code and error

Screenshot_2024-01-05_at_10.55.35_AM.png

Screenshot_2024-01-05_at_10.55.53_AM.png

Kkarimfromjordan `unixepoch()` for `INTEGER` and `datetime()` for `TEXT`.

T

Tudders•1/5/24, 6:13 AM

thanks Karim

RRavi kiran Hey guys, im trying to create a record having datetimes as fields. The fields ar...

R

Ravi kiran•1/5/24, 8:00 AM

guys can someone help me with this please.

M

maguayo•1/5/24, 8:36 AM

Any estimation on the limits per databse after the "beta"? Now it's 2GB, it will increate to like 3GB or way more?

Mmaguayo Any estimation on the limits per databse after the "beta"? Now it's 2GB, it will...

J

Jumping Back•1/5/24, 9:42 AM

https://developers.cloudflare.com/d1/platform/pricing/

J

Jumping Back•1/5/24, 9:43 AM

maybe feb 2024? cause its say they gonna be start charging from that point onwards but its just a guess

J

Jumping Back•1/5/24, 10:05 AM

quick quest: does prisma migrate works with d1 or will i have to swap out with drizzle

RRavi kiran Hey guys, im trying to create a record having datetimes as fields. The fields ar...

C

Cyb3r-Jak3•1/5/24, 2:39 PM

My guess is that it’s due to string to use

>

> to compare strings so it wants a number. You should store date time stuff as integers so you can use

>

>.

Mmaguayo Any estimation on the limits per databse after the "beta"? Now it's 2GB, it will...

C

Cyb3r-Jak3•1/5/24, 2:40 PM

Should be around 10 GB for GA. Read replication

Original message was deleted

C

Cyb3r-Jak3•1/5/24, 4:48 PM

TIL

J

Jumping Back•1/5/24, 5:41 PM

Any idea on how to go about using prisma

R

Rabid•1/6/24, 1:38 AM

Using D1 for my World of Warcraft site, working great for storing population statistics gathered via the official Blizzard API

https://atlasforge.gg/wow-classic/population
Biggest DB is around 200 MB, should have plenty of space still

AtlasForge Wow Classic Armory

World of Warcraft Classic Season of Discovery Armory

AtlasForge is a tool to let you view World of Warcraft Classic Season of Discovery character equipment and statistics

RRabid Using D1 for my World of Warcraft site, working great for storing population sta...

M

Matt Silverlock•1/6/24, 9:10 AM

This is cool! The realm population data is nice.

JJumping Back Any idea on how to go about using prisma

J

Jumping Back•1/6/24, 1:31 PM

is there something regarding this

N

Nightelf9•1/6/24, 1:50 PM

hey guys im a beginner and am trying to build an animal fact app for my kids
im trying to use D1 database to store the animal names, facts, image url (to R3 bucket public link)
my issue is that I can't for the life of me figure out how to interact with the D1 database in my page or html/js
https://javascript-website.pages.dev/
it's still a while away from something semi decent, i figured it out with python locally but now im trying to turn it into JS and deploy it online with cloudflare because of the D1 integration it has. Thanks in advance!

D

Dj_Laag•1/6/24, 3:25 PM

Hey guys,

i need some advice on how to use d1 binding in combination with staticFormsPlugin.
I figured out how to access the formdata. But when trying load data to d1 it cannot find the context properly

Any Ideas?

Y

Yiwan•1/6/24, 3:49 PM

Hey guys, does D1 support returning fields after inserting, i.e.
INSERT INTO Table(field) VALUES(?) RETURNING id
(or different syntax for this stuff)?

K

kian•1/6/24, 3:53 PM

Yes

Y

Yiwan•1/6/24, 3:57 PM

Yey thank you

JJumping Back Any idea on how to go about using prisma

J

Jumping Back•1/6/24, 4:32 PM

I wonder if anybody got any idea regarding this

J

Jumping Back•1/6/24, 4:33 PM

I have a giant schema I do not want to switch

J

Jumping Back•1/6/24, 4:33 PM

Possible to use drizzle queries but prisma for schema migration

J

Jumping Back•1/6/24, 4:34 PM

But it will still require massive refactoring

JJumping Back Any idea on how to go about using prisma

M

Matt Silverlock•1/6/24, 5:32 PM

Prisma doesn’t yet support D1, primarily because Prisma doesn’t run in edge serverless environments like Workers (or Bun, or Deno) yet.

MMatt Silverlock Prisma doesn’t yet support D1, primarily because Prisma doesn’t run in edge serv...

J

Jumping Back•1/6/24, 5:33 PM

Does it still matter even if I do prisma migrate and use prima client for queries

JJumping Back Does it still matter even if I do prisma migrate and use prima client for querie...

M

Matt Silverlock•1/6/24, 5:57 PM

Prisma has no way to talk to a D1 database, so I don’t know how this would work.

using JS template literals exposes you to SQL injection btw

Similar Threads

Similar Threads

Similar Threads