Raw database access
MongoDB not supported
Raw queries are currently not supported by the MongoDB connector.
Prisma Client exposes four methods that allow you to send raw SQL queries to your database:
- Use
$queryRawto return actual records (for example, usingSELECT) - Use
$executeRawto return a count of affected rows (for example, after anUPDATEorDELETE) - Use
$queryRawUnsafeto return actual records (for example, usingSELECT) using a raw string. Potential SQL injection risk - Use
$executeRawUnsafeto return a count of affected rows (for example, after anUPDATEorDELETE) using a raw string. Potential SQL injection risk
Use cases for raw SQL include:
- You are a strong SQL user and want to run a heavily optimized query
- Prisma Client does not yet support the feature that you require (please consider raising an issue)
$queryRaw
$queryRaw returns actual database records. For example, the following SELECT query returns all fields for each record in the User table:
The method is implemented as a tagged template, which allows you to pass a template literal where you can easily insert your variables. In turn, Prisma creates prepared statements that are safe from SQL injections:
You can also use the Prisma.sql helper, in fact, the $queryRaw method will only accept a template string or the Prisma.sql helper.
Return type
$queryRaw returns an array. Each object corresponds to a database record:
You can also type the results of $queryRaw.
Signature
Typing $queryRaw results
PrismaPromise<T> uses a generic type parameter T. You can determine the type of T when you invoke the $queryRaw method. In the following example, $queryRaw returns User[]:
Note: If you do not provide a type,
$queryRawdefaults tounknown.
If you are selecting specific fields of the model or want to include relations, refer to the documentation about leveraging Prisma Client's generated types if you want to make sure that the results are properly typed.
Type caveats when using raw SQL
When you type the results of $queryRaw, the raw data does not always match the suggested TypeScript type. For example, the following Prisma model includes a Boolean field named published:
The following query returns all posts and prints out the value of published field of each Post:
Note: The Prisma Client query engine standardizes the return type for all databases. Using the raw queries does not. If the database provider is MySQL, the values are
1or0. However, if the database provider is PostgreSQL, the values aretrue,false, orNULL.
$queryRawUnsafe
The $queryRawUnsafe method allows you to pass a raw string (or template string) to the database.
SELECT * FROM table WHERE columnx = ${userInput}), you open up the possibility for SQL injection attacks. SQL injection attacks can expose your data, be it confidential or otherwise sensitive, to being modified, or even destroyed.$queryRaw query instead. For more information on SQL injection attacks, see the OWASP SQL Injection guide.The following query returns all fields for each record in the User table:
You can also run a parameterized query. The following example returns all users whose email contains the string emelie@prisma.io:
Signature
Parameterized queries
As an alternative to tagged templates, $queryRawUnsafe supports standard parameterized queries where each variable is represented by a symbol (? for mySQL, $1, $2, and so on for PostgreSQL). The following example uses a MySQL query:
Note: MySQL variables are represented by
?
The following example uses a PostgreSQL query:
Note: PostgreSQL variables are represented by
$1and$2
As with tagged templates, Prisma Client escapes all variables.
Note: You cannot pass a table or column name as a variable into a parameterized query. For example, you cannot
SELECT ?and pass in*orid, namebased on some condition.
Parameterized PostgreSQL ILIKE query
When you use ILIKE, the % wildcard character(s) should be included in the variable itself, not the query (string):
Note: Using
%$2as an argument would not work
$executeRaw
$executeRaw returns the number of rows affected by a database operation, such as UPDATE or DELETE. This function does not return database records. The following query updates records in the database and returns a count of the number of records that were updated:
The method is implemented as a tagged template, which allows you to pass a template literal where you can easily insert your variables. In turn, Prisma creates prepared statements that are safe from SQL injections:
Be aware that:
$executeRawdoes not support multiple queries in a single string (for example,ALTER TABLEandCREATE TABLEtogether).- Prisma Client submits prepared statements, and prepared statements only allow a subset of SQL statements. For example,
START TRANSACTIONis not permitted. You can learn more about the syntax that MySQL allows in Prepared Statements here. PREPAREdoes not supportALTER- see workaround.
Return type
$executeRaw returns a number.
Signature
$executeRawUnsafe
The $executeRawUnsafe method allows you to pass a raw string (or template string) to the database. Like $executeRaw, it does not return database records, but returns the number of rows affected.
Note:
$executeRawUnsafecan only run one query at a time. You cannot append a second query - for example, addingDROP bobby_tablesto the end of anALTER.
SELECT * FROM table WHERE columnx = ${userInput}), you open up the possibility for SQL injection attacks. SQL injection attacks can expose your data, be it confidential or otherwise sensitive, to being modified, or even destroyed.$executeRaw query instead. For more information on SQL injection attacks, see the OWASP SQL Injection guide.The following example uses a template string to update records in the database. It then returns a count of the number of records that were updated:
The same can be written as a parameterized query:
Signature
Transactions
In 2.10.0 and later, you can use .$executeRaw() and .$queryRaw() inside a transaction.
Using variables
$executeRaw and $queryRaw are implemented as tagged templates. Tagged templates are the recommended way to use variables with raw SQL in the Prisma Client.
The following example includes a placeholder named ${userId}. Note the double backticks (``) instead of ():
Important: You must use double backticks - the same query using
$queryRaw()is not secure because${userId}is not escaped.
✔ Benefits of using the tagged template versions of $queryRaw and $executeRaw include:
- Prisma Client escapes all variables.
- Tagged templates are database-agnostic - you do not need to remember if variables should be written as
$1(PostgreSQL) or?(MySQL). - SQL Template Tag give you access to useful helpers.
- Embedded, named variables are easier to read.
Note: You cannot pass a table or column name into a tagged template placeholder. For example, you cannot
SELECT ?and pass in*orid, namebased on some condition.
Tagged template helpers
Prisma Client specifically uses SQL Template Tag, which exposes a number of helpers. For example, the following query uses join() to pass in a list of IDs:
The following example uses the empty and sql helpers to change the query depending on whether userName is empty:
ALTER limitation (PostgreSQL)
PostgreSQL does not support using ALTER in a prepared statement, which means that the following queries will not work:
You can use the following query, but be aware that this is potentially unsafe as ${password} is not escaped:
SQL injection
Prisma Client mitigates the risk of SQL injection in the following ways:
Prisma Client escapes all variables when you use tagged templates and sends all queries as prepared statements.
$queryRaw`...` // Tagged template$executeRaw`...` // Tagged template$executeRawcan only run one query at a time. You cannot append a second query - for example, addingDROP bobby_tablesto the end of anALTER.
If you cannot use tagged templates, you can instead use $queryRawUnsafe or $executeRawUnsafe but be aware that your code may be vulnerable to SQL injection.
⚠️ String concatenation
The following example concatenates query and inputString. Prisma Client ❌ cannot escape inputString in this example, which makes it vulnerable to SQL injection:
