Products
Features
YouTube Video Summarizer
Summarize YouTube videos
Web & PDF Highlighter
Highlight web pages & PDFs
Chat with PDF
Ask any PDF questions with AI
Ask AI Clone
Chat with your highlights & memories
Audio Transcriber
Transcribe audio files to text
Glasp Reader
Read and highlight articles
Kindle Highlight Export
Export your Kindle highlights
Idea Hatch
Hatch ideas from your highlights
Integrations
Obsidian Plugin
Notion Integration
Pocket Integration
Instapaper Integration
Medium Integration
Readwise Integration
Snipd Integration
Hypothesis Integration
Apps & Extensions
Chrome Extension
Safari Extension
Edge Add-ons
Firefox Add-ons
iOS App
Android App
Discover
Discover
Ideas
Discover new ideas and insights
Articles
Curated articles and insights
Books
Book recommendations by great minds
Posts
Essays and notes from readers
Quotes
Inspiring quotes collection
Videos
Curated videos and summaries
Explore Glasp
Glasp Story
How we grew from 0 to 3 million users
Glasp Newsletter
Weekly insights and updates
Glasp Talk
Interview series with great minds
Glasp Blog
Latest news and articles
Glasp Use Cases
Learn how others use Glasp
Build & Support
Glasp API
Access Glasp's API for developers
MCP Connector
Connect Glasp to Claude & ChatGPT
Community
Glasp Reddit Community
Students
Student discount and benefits
FAQs
Frequently Asked Questions
AboutPricing
DashboardLog inSign up

Why prisma calls directly in Next is a MISTAKE

16.5K views
•
August 15, 2023
by
Web Dev Cody
YouTube video player
Why prisma calls directly in Next is a MISTAKE

TL;DR

A security flaw in the Code Racer project exposed sensitive user data, highlighting the need for cautious data fetching practices.

Transcript

so recently there was a security issue with this code racer project and I wanted to kind of make a video to kind of highlight how important it is to make sure that the things that you implement are double checked triple checked make sure not leaking private information across the wire um so anyone who's been working on this project I definitely rec... Read More

Key Insights

  • 🈸 Always verify that the data fetched from the database is the minimum necessary for application functionality to prevent data leaks.
  • 🧭 Sensitive fields should never be inadvertently passed to client components; explicit select statements help mitigate this risk.
  • 👤 Using server-side rendering frameworks like Next.js necessitates careful management of data flow to maintain user privacy and security.
  • 💌 Leaking emails and other private information can severely impact user trust and application integrity; preventative measures should be prioritized.
  • 🏛️ Consider building a dedicated data access layer to manage sensitive information securely while allowing flexibility in application building.
  • 🍵 The complexity of managing field omissions highlights why structured data handling practices, like select statements, are critical for security.
  • 🈸 Increased awareness of data management and security practices in application development can contribute to more secure web applications.

Install to Summarize YouTube Videos and Get Transcripts

Explore YouTube Video Summarizer or Get YouTube Transcript Extractor

Questions & Answers

Q: What was the main security issue encountered in the Code Racer project?

The primary security issue was the unintended exposure of user emails in network requests, even though they were not visible in the rendered user interface. This occurred because the application fetched user data directly from the database without properly omitting sensitive fields, allowing anyone to access sensitive information through network monitoring tools.

Q: How did the use of React server components contribute to the issue?

The issue stemmed from the nature of React server components, which allowed sensitive data to be passed verbatim to client components without first filtering it. When server-side data is sent to the client, if the server component includes sensitive data in its output, that information becomes visible in network requests, posing a security risk.

Q: What is the recommended best practice for fetching user data to avoid security risks?

The recommended best practice is to use explicit select statements when fetching data from the database. By doing so, developers can ensure that only the necessary fields are retrieved, significantly reducing the risk of leaking sensitive information like emails while also improving application performance by minimizing data payloads.

Q: Why is it not advisable to use a "select star" approach in data fetching?

Using a "select star" approach retrieves all fields from a database table, which may include sensitive information that should not be sent to the client. This practice increases the risk of exposing private data and can lead to unnecessary data transfer, negatively impacting performance and security.

Q: What alternatives are there to avoid remembering to omit sensitive fields throughout the codebase?

Developers can create a data model layer that centralizes access to user data, ensuring fields are filtered before reaching the client. However, even this approach requires strict discipline to maintain the omission of sensitive fields. Employing specific select statements is generally recommended for simplicity and effectiveness.

Q: Did the video suggest any potential modifications to the Prisma ORM for improving security?

Yes, the video discussed the idea of introducing a feature in Prisma that would allow developers to mark certain fields as private, preventing them from being included in select statements automatically. This innovation could streamline the process of protecting sensitive data but was noted to have limited traction in development discussions within the Prisma community.

Q: What steps should developers take when working with sensitive user data in their applications?

Developers should review their code to identify instances where sensitive data might be inadvertently exposed. Implementing explicit select statements, utilizing middleware for data sanitization, and maintaining an awareness of what data is shared in API responses are essential steps for safeguarding user information.

Summary & Key Takeaways

  • The Code Racer project encountered a security issue where user emails were leaked through network requests, despite not being displayed in the UI. This emphasizes the importance of handling sensitive data properly in server-side rendering scenarios with Next.js.

  • The problem arose from fetching user data directly, leading to unintended exposure of email addresses. Developers were advised to avoid a "select star" approach and instead utilize specific select statements to control data fetching and limit exposure of sensitive information.

  • Best practices for securing data involve using select statements to explicitly define which fields to return, effectively omitting sensitive information and reducing payload size, resulting in improved performance and security.


Read in Other Languages (beta)

English

Share This Summary 📚

Summarize YouTube Videos and Get Video Transcripts with 1-Click

Download browser extensions on:

Try YouTube Summary with ChatGPT & Claude or YouTube Transcript Generator

Explore More Summaries from Web Dev Cody 📚

How I setup pagination in my Next.js app (with Drizzle ORM) thumbnail
How I setup pagination in my Next.js app (with Drizzle ORM)
Web Dev Cody
How Does the MacBook Air M1 Compare for Coding? thumbnail
How Does the MacBook Air M1 Compare for Coding?
Web Dev Cody
I got my first DDoS (and what you can do to help prevent it) thumbnail
I got my first DDoS (and what you can do to help prevent it)
Web Dev Cody
How I'm doing authentication on my simple Go app (with Fiber) thumbnail
How I'm doing authentication on my simple Go app (with Fiber)
Web Dev Cody
Live Coding a Shopping Cart using React thumbnail
Live Coding a Shopping Cart using React
Web Dev Cody

Summarize YouTube Videos and Get Video Transcripts with 1-Click

Download browser extensions on:

Try YouTube Summary with ChatGPT & Claude or YouTube Transcript Generator

Apps & Extensions

  • Chrome Extension
  • Safari Extension
  • Edge Add-ons
  • Firefox Add-ons
  • iOS App
  • Android App

Key Features

  • YouTube Video Summarizer
  • Web & PDF Summarizer
  • Web & PDF Highlighter
  • Chat with PDF
  • Ask AI Clone
  • Audio Transcriber
  • Glasp Reader
  • Kindle Highlight Export
  • Idea Hatch

Integrations

  • Obsidian Plugin
  • Notion Integration
  • Pocket Integration
  • Instapaper Integration
  • Medium Integration
  • Readwise Integration
  • Snipd Integration
  • Hypothesis Integration

More Features

  • APIs
  • MCP Connector
  • Blog & Post
  • Embed Links
  • Image Highlight
  • Personality Test
  • Quote Shots
  • Open Graph Checker

Company

  • About us
  • Our Story
  • Blog
  • Community
  • FAQs
  • Job Board
  • Newsletter
  • Pricing
Terms

•

Privacy

•

Guidelines

© 2026 Glasp Inc. All rights reserved.