Provides a string template tag that makes it easy to compose MySQL and PostgreSQL query strings from untrusted inputs by escaping dynamic values based on the context in which they appear.
$ npm install safesqlMySQL via
const { mysql } = require('safesql');PostgreSQL via
const { pg } = require('safesql');const { mysql, SqlId } = require('safesql');
const table = 'table';
const ids = [ 'x', 'y', 'z' ];
const str = 'foo\'"bar';
const query = mysql`SELECT * FROM \`${ table }\` WHERE id IN (${ ids }) AND s=${ str }`;
console.log(query);
// SELECT * FROM `table` WHERE id IN ('x', 'y', 'z') AND s='foo''"bar'mysql functions as a template tag.
Commas separate elements of arrays in the output.
mysql treats a ${...} between backticks (\`) as a SQL identifier.
A ${...} outside any quotes will be escaped and wrapped in appropriate quotes if necessary.
PostgreSQL differs from MySQL in important ways. Use pg for Postgres.
const { pg, SqlId } = require('safesql');
const table = 'table';
const ids = [ 'x', 'y', 'z' ];
const str = 'foo\'"bar';
const query = pg`SELECT * FROM "${ table }" WHERE id IN (${ ids }) AND s=${ str }`;
console.log(query);
// SELECT * FROM "table" WHERE id IN ('x', 'y', 'z') AND s=e'foo''\"bar'You can pass in an object to relate columns to values as in a SET clause above.
The output of mysql`...` has type SqlFragment so the
NOW() function call is not re-escaped when used in ${data}.
const { mysql } = require('safesql');
const column = 'users';
const userId = 1;
const data = {
email: '[email protected]',
modified: mysql`NOW()`
};
const query = mysql`UPDATE \`${column}\` SET ${data} WHERE \`id\` = ${userId}`;
console.log(query);
// UPDATE `users` SET `email` = '[email protected]', `modified` = NOW() WHERE `id` = 1Since mysql returns a SqlFragment you can chain uses:
const { mysql } = require('safesql');
const data = { a: 1 };
const whereClause = mysql`WHERE ${data}`;
console.log(mysql`SELECT * FROM TABLE ${whereClause}`);
// SELECT * FROM TABLE WHERE `a` = 1An interpolation in a quoted string will not insert excess quotes:
const { mysql } = require('safesql')
console.log(mysql`SELECT '${ 'foo' }' `)
// SELECT 'foo'
console.log(mysql`SELECT ${ 'foo' } `)
// SELECT 'foo'Backticks end a template tag, so you need to escape backticks.
const { mysql } = require('safesql')
console.log(mysql`SELECT \`${ 'id' }\` FROM \`TABLE\``)
// SELECT `id` FROM `TABLE`Other escape sequences are raw.
const { mysql } = require('safesql')
console.log(mysql`SELECT "\n"`)
// SELECT "\n"Assuming
const { mysql, pg, SqlFragment, SqlId } = require('safesql')When called with an options bundle instead of as a template tag,
mysql and pg return a template tag that uses those options.
The options object can contain any of
{ stringifyObjects, timeZone, forbidQualified } which have the
same meaning as when used with sqlstring.
const timeZone = 'GMT'
const date = new Date(Date.UTC(2000, 0, 1))
console.log(mysql({ timeZone })`SELECT ${date}`)
// SELECT '2000-01-01 00:00:00.000'When used as a template tag, chooses an appropriate escaping
convention for each ${...} based on the context in which it appears.
mysql handles ${...} inside quoted strings as if the template
matched the following grammar:
When used as a template tag, chooses an appropriate escaping
convention for each ${...} based on the context in which it appears.
pg handles ${...} inside quoted strings as if the template
matched the following grammar:
SqlFragment is a Mintable class that represents fragments of SQL that are safe to send to a database.
See minting for example on how to create instances, and why this is a
tad more involved than just using new.
SqlId is a Mintable class that represents a SQL identifier.
See minting for example on how to create instances, and why this is a
tad more involved than just using new.
A SqlId's content must be the raw text of a SQL identifier and
creators should not rely on case folding by the database client.