#Using $queryRaw unsafely, documentation seems not clear enough.

Hey folks, the documentation for this function is here:
https://www.prisma.io/docs/orm/prisma-client/queries/raw-database-access/raw-queries#raw-queries-with-relational-databases

The documentation makes it clearly seem like this function and the execute variant are safe compared to the unsafe versions.

Unfortunately, whilst they might be safer, they can also be used unsafely and I think this needs to be made clearer in the documentation.

I suspect that Prisma.Raw can be used in an unsafe way even but without that, there is also the following example I have seen:

https://gist.github.com/tghosth/c27842a940a37a1ddb29eb8bff1095d3/96f3c3bff756ef6fad364934aa61889336f6838c

Would you be comfortable for me to open a PR with my suggested documentation changes?

Or even more simply, it can be made unsafe like this:
https://gist.github.com/tghosth/72c5ee9702850fd7d735bb6678c42f41

Hey Josh 👋

I believe you are in touch with Jan from our team, we are discussing this internally 🙏

Hey @wintry scroll, thanks for getting back to me. Yeah, Jan pinged me on LinkedIn but I had thought that maybe this was a better venue to discuss. Let me know if you want to discuss further either here or directly.

Hey @sly silo just wanted to confirm that I've seen this and am chatting with our engineering team. I'm also trying to understand the intracacies here so I can best represent our work 😅

In short, we still feel confident in the safety of our $queryRaw function, but agree that specifying further the limitations of that safety is warranted.

Ok cool, do you want me to propose some updated wording here: https://github.com/prisma/docs/tree/main/content/200-orm/200-prisma-client/100-queries/090-raw-database-access/050-raw-queries.mdx

That would be awesome! If you wouldn't mind posting the PR as well I can review it shortly

It will take me some time to prep but I will post here when I am done

No rush! Thank you

OK, I created this:
https://github.com/prisma/docs/pull/5735

I spent quite a long time on it because I think it is important that it is clear and has good illustrative examples.

I didn't exhaustively test it with Gatsby because recompiling after every change is so slow 😦

HI @tired haven, any thoughts on this addition?

If you are concerned that it is too much then the other option would be to add my detailed explanation to the OWASP Query Parameterization Cheat Sheet and then in the Prisma docs just include a short summary and refer to that.
https://cheatsheetseries.owasp.org/cheatsheets/Query_Parameterization_Cheat_Sheet.html

Hi Josh, I apologize, this slipped through the cracks last week. Let me review now and see if I have any specific feedback

I think this is good to go, but if you are ok with it I’d change the tone slightly. Using a template tag, no string building, no concatenation is how we designed and recommend the use of the raw functions.

It’s my understanding that method is safe? When more complicated patterns are introduced, then it becomes unsafe. Does that match your understanding?

Regardless, the work is great! I would just prefer if the text read something like “using it in this intended way is ok. Using it in these other ways are potentially unsafe”

Ok so what do you think about this change I just made to the PR @tired haven https://github.com/prisma/docs/pull/5735/commits/14fd82c472f9e1e2e35e54bf495aeaee58d9e1d2

This is great! Thank you so much for working with us and bringing it to our attention. I'm going to approve and kick off a build just to make sure everything is working 🙂

Looks like a couple of things are failing but not clear that they relate to my changes...?

They are not, sorry about that. Also, we’re going through another round of internal review. Thanks for your patience!