Of course "you have to sanitize your inputs somehow", but this example does that exactly nowhere, i.e. it is exploitable. Having the tutorial omit this problem altogether is dangerous, as not discussing it might create the impression that PostgREST somehow already handles this, or that the toy example given here does not have a glaring security vulnerability. This is particularly problematic because the reason that the docs for many other backend frameworks also don't discuss the problem is that they do in fact already handle it (usually via a built-in templating language).
Steve acknowledged the problem in a sibling comment, so hopefully the next iteration of the tutorial will address this. (Thanks!)
Of course "you have to sanitize your inputs somehow", but this example does that exactly nowhere, i.e. it is exploitable. Having the tutorial omit this problem altogether is dangerous, as not discussing it might create the impression that PostgREST somehow already handles this, or that the toy example given here does not have a glaring security vulnerability. This is particularly problematic because the reason that the docs for many other backend frameworks also don't discuss the problem is that they do in fact already handle it (usually via a built-in templating language).
Steve acknowledged the problem in a sibling comment, so hopefully the next iteration of the tutorial will address this. (Thanks!)