HomeSupabase in 5 DaysDay 2
Day 2 of 5
⏱ ~60 minutes
Supabase in 5 Days — Day 2

Database: Tables and Queries

Create tables, define Row Level Security, and query data with the Supabase client.

The Table Editor and SQL

Create tables in the Supabase dashboard Table Editor (GUI) or write SQL in the SQL Editor. Both work — SQL is more powerful for complex schemas.

SQL to create tables
-- In Supabase SQL Editor
CREATE TABLE posts (
  id UUID DEFAULT gen_random_uuid() PRIMARY KEY,
  title TEXT NOT NULL,
  body TEXT,
  user_id UUID REFERENCES auth.users(id) ON DELETE CASCADE,
  created_at TIMESTAMPTZ DEFAULT NOW()
);

-- Enable Row Level Security
ALTER TABLE posts ENABLE ROW LEVEL SECURITY;

-- Policy: users can only see their own posts
CREATE POLICY 'Users see own posts' ON posts
  FOR SELECT USING (auth.uid() = user_id);

-- Policy: users can insert their own posts
CREATE POLICY 'Users insert own posts' ON posts
  FOR INSERT WITH CHECK (auth.uid() = user_id);

-- Policy: public posts visible to all
CREATE POLICY 'Public posts readable' ON posts
  FOR SELECT USING (true);  -- or add a published column check
Querying with supabase-js
// SELECT
const { data, error } = await supabase
  .from('posts')
  .select('id, title, created_at')
  .eq('user_id', userId)
  .order('created_at', { ascending: false })
  .limit(10);

// SELECT with JOIN (foreign key)
const { data } = await supabase
  .from('posts')
  .select('*, profiles(name, avatar_url)');

// INSERT
const { data } = await supabase.from('posts').insert({
  title: 'My Post',
  body: 'Content here',
  user_id: user.id
}).select();

// UPDATE
await supabase.from('posts')
  .update({ title: 'New Title' })
  .eq('id', postId);

// DELETE
await supabase.from('posts').delete().eq('id', postId);
📝 Day 2 Exercise
Build a CRUD App with RLS
  1. C
  2. r
  3. e
  4. a
  5. t
  6. e
  8. a
  10. p
  11. o
  12. s
  13. t
  14. s
  16. t
  17. a
  18. b
  19. l
  20. e
  21. .
  23. E
  24. n
  25. a
  26. b
  27. l
  28. e
  30. R
  31. L
  32. S
  33. .
  35. A
  36. d
  37. d
  39. p
  40. o
  41. l
  42. i
  43. c
  44. i
  45. e
  46. s
  48. s
  49. o
  51. u
  52. s
  53. e
  54. r
  55. s
  57. c
  58. a
  59. n
  61. o
  62. n
  63. l
  64. y
  66. s
  67. e
  68. e
  70. a
  71. n
  72. d
  74. e
  75. d
  76. i
  77. t
  79. t
  80. h
  81. e
  82. i
  83. r
  85. o
  86. w
  87. n
  89. p
  90. o
  91. s
  92. t
  93. s
  94. .
  96. B
  97. u
  98. i
  99. l
  100. d
  102. a
  104. R
  105. e
  106. a
  107. c
  108. t
  110. c
  111. o
  112. m
  113. p
  114. o
  115. n
  116. e
  117. n
  118. t
  120. t
  121. h
  122. a
  123. t
  125. l
  126. i
  127. s
  128. t
  129. s
  131. p
  132. o
  133. s
  134. t
  135. s
  137. f
  138. o
  139. r
  141. t
  142. h
  143. e
  145. l
  146. o
  147. g
  148. g
  149. e
  150. d
  151. -
  152. i
  153. n
  155. u
  156. s
  157. e
  158. r
  159. ,
  161. c
  162. r
  163. e
  164. a
  165. t
  166. e
  167. s
  169. n
  170. e
  171. w
  173. p
  174. o
  175. s
  176. t
  177. s
  178. ,
  180. a
  181. n
  182. d
  184. d
  185. e
  186. l
  187. e
  188. t
  189. e
  190. s
  192. t
  193. h
  194. e
  195. m
  196. .

Day 2 Summary

  • Row Level Security (RLS) enforces data access rules at the database level — not in application code.
  • auth.uid() in RLS policies returns the logged-in user's ID. The database checks it automatically.
  • Supabase client queries: .from(table).select().eq().order().limit() chain.
  • Always enable RLS on tables that contain user data. Without it, any authenticated user can read all rows.
← Previous
Day 1: Project Setup and Authentication
Next →
Day 3: Storage: Files and Images
Finished this lesson?