sql-tagged-template-literal
ES6 SQL-escaping tagged template literal that spits out a sanitized SQL string
Last updated 3 years ago by tehshrike .
WTFPL · Repository · Bugs · Original npm · Tarball · package.json
$ cnpm install sql-tagged-template-literal 
SYNC missed versions from official npm registry.

sql-tagged-template-literal

npm install sql-tagged-template-literal

Useful for data dumps and other "just gimme a query" tasks.

const userInput = `Robert'); DROP TABLE Students;--`

const query = sql`INSERT INTO awesome_table (sweet_column) VALUES (${userInput})`

query // => `INSERT INTO awesome_table (sweet_column) VALUES ('Robert\\'); DROP TABLE Students;--')`

Uses the sqlstring library for escaping.

Only meant for escaping values - you shouldn't put table or column names in expressions.

Escape mechanisms

null is an unqouted NULL

sql`SELECT ${null} IS NULL` // => `SELECT NULL IS NULL`

Strings are escaped and quoted

sql`SELECT ${"what's up"} AS lulz` // => `SELECT 'what\\'s up' AS lulz`

Numbers are not quoted

sql`SELECT ${13} AS totally_lucky` // => `SELECT 13 AS totally_lucky`

Booleans are converted to text

sql`SELECT ${true} = ${false}` // => `SELECT true = false`

Objects are JSONed, then escaped

MySQL has a JSON data type, after all.

const legitObject = { fancy: 'yes\'m' }

const jsonInsertQuery = sql`INSERT INTO document_store (json_column) VALUES (${legitObject})`

jsonInsertQuery // => `INSERT INTO document_store (json_column) VALUES ('{\\"fancy\\":\\"yes\\'m\\"}')`

License

WTFPL

Current Tags

  • 1.0.2                                ...           latest (3 years ago)

3 Versions

  • 1.0.2                                ...           3 years ago
  • 1.0.1                                ...           4 years ago
  • 1.0.0                                ...           4 years ago
Maintainers (1)
Downloads
Today 0
This Week 0
This Month 1
Last Day 0
Last Week 0
Last Month 2
Dependencies (1)
Dev Dependencies (1)
Dependents (0)
None

Copyright 2014 - 2016 © taobao.org |