Hello everyone! does anyone knows how can I set the limit for the records to INSERT for a particular table?, what I want to achieve is to prevent the user to be able to INSERT multiple rows in a single call. I can do that from the front-end but of course I would like to ensure that from the DB itself for security reasons. Thanks in advance!

Hello @Haus Of Alejandro! This thread has been automatically created from your message in #843999948717555735 a few seconds ago. We have already mentioned the @User so that they can see your message and help you as soon as possible! Want to unsubscribe from this thread? Right-click the thread in Discord (or use the ``...`` menu) and select "Leave Thread" to unsubscribe from future updates. Want to change the title? Use the ``/title`` command! We have solved your problem? Click the button below to archive it.

I don't know of a built in way to limit rows on insert. Someone asked way back. https://github.com/PostgREST/postgrest/issues/1757 You could block all inserts with RLS then have a security definer rpc function, with its own checks for authorized user, do the insert. You would take a single row as the input parameter.

Thanks @garyaustin I tried the RPC approach, it works now, the only concern that I still have is that the function itself now has security to definer instead of invoker. That's because it should incur in some INSERTS and UPDATES, I'm making sure of asking for the auth and other logic-checks first but still don't know if thats enough. Also I was wondering, if I perform the INSERT directly from the rpc function instead of the front-end methods... is the database in more risk in terms of someone trying to inject something malicious?

If you do your checks in the rpc function for user role,id, etc. you should be fine on access. If you do your insert with parameters you should also be fine on preventing injections. You could also parse the input data in the function if you want to "clean" it before storing in the columns. https://dba.stackexchange.com/questions/127/do-stored-procedures-prevent-sql-injection

Thanks for the information @garyaustin , yes, I do my checks on user and role, I'm just worried about an specific field "comment" which is just "free" text from the user 😕

INSERT into bookings(trip_id, vessel_id, validity, user_id, qty, paid) VALUES(tripid, vesselid, true, userid, qtyofticket, false) where the values are all parameters passed into the function.

Ohh I see now, yes, all the stored input is just inserted using the VALUES(...), that's good to know, thank you so much, also thanks for the link that are very informative!

Thread was archived by @Haus Of Alejandro. Anyone can send a message to unarchive it.