SQL

SQL injection vulnerabilities from unescaped user input interpolation remain the perennial top contender for most financially damaging application security vulnerability. Developers continue to make mistakes in this area.

Neon's Node.js SDK v19+ introduces a breaking change in how the HTTP query template function can be called. Calling it as a conventional function (with parentheses) is now an SQL injection risk and throws an error, requiring developers to update their applications.

Prisma's Rust-based query engine performs application-level joins by fetching entire tables and merging results in memory rather than using optimized database-level SQL joins. This approach wastes bandwidth and becomes prohibitively expensive for teams paying per-row-read to database providers like PlanetScale, and is especially problematic at scale.

When making schema changes to evolve the application's data handling, modifications either break tests immediately or don't, creating a worse scenario where tests no longer guarantee correctness. This requires iterative fixing of data integrity issues.

Building complex SQL queries is tedious, error-prone, and time-consuming. Developers frequently resort to AI assistance rather than writing queries manually, and must often redo work when requirements change or new clients appear.

Using raw SQL for performance avoids ORM overhead but requires manually writing and maintaining JOIN statements. Every schema change necessitates updating all related queries, making maintenance burden significant.

Raw SQL queries require manual casting of result sets and hoping developers remember correct column types. Type information is lost, increasing risk of runtime errors.

The ease of Prisma's query builder comes at the cost of developers gradually losing familiarity with raw SQL. The trade-off between simplicity and flexibility means developers become dependent on the ORM abstraction and cannot effectively fall back to direct SQL when needed for complex queries or optimization.