Are Phoenix routes safe from SQL injections?

I have a few entities in my database where I have decided not to use an autoincrementing integer ID as primary key, modifying the auto-generated schema, routes, etc. to work with this. Instead, the primary key is a string.

As a result, show page routes now look like /entity/string_pk, where the string_pk is the primary key to use to fetch the record.

I have done this for convenience and simplicity, but worry about the possibility of SQL injection attacks, where the string_pk is replaced by plausible injection strings which Ecto will immediately SELECT for.

Is this a realistic problem to worry about, necessitating a return to integer IDs, or the use of some kind of intermediate string sanitisation in the chain?

It depends how you load the data. If you use the standard Repo.get, then you are safe. If you are building the SQL string manually - then not.

1 Like

Thank you @egze that’s all I wanted to know.

I have no intention on doing this for all entities, and for the few where it seems better suitable, I will not deviate from the standard Repo.get.

Much appreciated!