What databases does QuackDB support?

QuackDB supports SQLite, PostgreSQL (including Supabase), MySQL, and SQL Server on Mac.

Is QuackDB a free SQL client?

Yes. QuackDB has a free tier with unlimited connections and core SQL editing features. No credit card is required to download.

Is my database data secure with QuackDB?

QuackDB is local-first. Your databases stay on your machine. Credentials use macOS Keychain. See the Privacy Policy at quackdb.app/privacy.

How does QuackDB compare to TablePlus or DBeaver?

See side-by-side guides at quackdb.app/compare for DataGrip, DBeaver, TablePlus, and Beekeeper Studio.

SQL Injection Prevention | QuackDB Documentation

SQL Injection Prevention

Write secure queries to prevent attacks

SQL injection is one of the most dangerous security vulnerabilities. Learn how to protect your applications.

The Problem

-- DANGEROUS: String concatenation
const query = "SELECT * FROM users WHERE name = '" + userInput + "'";

-- If userInput is: ' OR '1'='1
-- Query becomes: SELECT * FROM users WHERE name = '' OR '1'='1'
-- This returns ALL users!

-- Even worse: '; DROP TABLE users; --
-- This deletes the entire table!

The Solution: Parameterized Queries

-- JavaScript/Node.js with better-sqlite3
const stmt = db.prepare('SELECT * FROM users WHERE name = ?');
const user = stmt.get(userInput);

-- Python with sqlite3
cursor.execute('SELECT * FROM users WHERE name = ?', (user_input,))

-- The database handles escaping safely

Rules

NEVER concatenate user input into SQL strings

ALWAYS use parameterized queries / prepared statements

ALWAYS use an ORM that handles parameterization

ALWAYS validate and sanitize input on top of parameterization

QuackDB Note: QuackDB uses parameterized queries internally. When writing queries in the app, you're protected. But always use parameters in your own application code!

SQL Injection Prevention

The Problem

The Solution: Parameterized Queries

Rules

Need help?