Supabase is an open source Firebase alternative. Start your project with a Postgres database, Authentication, instant APIs, Edge Functions, Realtime subscriptions, and Storage.

Supabase

if I am using supabase-js and I use the .insert method on a query, is that parametrised and safe from injection?

As far as I'm aware, yes it is.

There's 2 main ways to call Postgres functions or insert data into tables - either with the parameters in order, or by binding.

With 'in order', you'd call parameters in the order that the columns or function parameters are specified in the table schema or function definition. Passing them in the wrong order would throw an error if the data types didn't match.

Since we pass an object to `.insert()`, it uses binding - the key as the variable name which maps to a column, and the value as the value to be passed into the row. If you ever try to call an insert and pass a column that doesn't exist in the target table (or a parameter that doesn't exist in the function), it'll throw an error.