System Information
- Strapi Version: 3.6.8
- Operating System: macOS, Linux
- Database: sqlite, PostgreSQL
- Node Version: 14.17.0
- NPM Version: 8.5.5
- Yarn Version: 1.22.17
When doing a “broken” graph query to Strapi, the response message contains the full SQL query. As this is a potential security issue, I’d like to know how to prevent that. The database is not flagged as debug in the config. Essentially, the issue occurs whenever you try to sort for a field that doesn’t exist.
Example query:
{
designs(sort: "0") {
id
}
}
Result:
{
"errors": [
{
"message": "select \"designs\".*, \"designs\".\"foo\" as \"_strapi_tmp_designs_foo\" from \"designs\" where (\"designs\".\"published_at\" is not null) order by \"_strapi_tmp_designs_foo\" asc limit $1 - column designs.foo does not exist",
"locations": [
{
"line": 2,
"column": 2
}
],
"path": [
"designs"
]
}
],
"data": {
"designs": null
}
}