@capriza/safe-sql
v1.1.0
Published
'SQL' template tag for supporting safe Sequelize queries
Downloads
5
Maintainers
Keywords
Readme
safe-sql
Protect your code from accidental SQL injection vulnerabilities by using the SQL
template tag on raw SQL queries with Sequelize.
Provides the best protection against accidental SQL injection when combined with the use of https://github.com/capriza/eslint-plugin-safe-sql.
Installation
$ npm install @capriza/safe-sql
Usage
// the wrong way - potential vulnerability
sequelize.query(`SELECT * FROM users WHERE name = ${req.query.username}`);
// the right way - using bind
sequelize.query(`SELECT * FROM users WHERE name = $1`, {bind: [req.query.username]});
// the best way - using safe-sql
const SQL = require("safe-sql");
sequelize.query(SQL`SELECT * FROM users WHERE name = ${req.query.username}`);
concat
The concat
method enables building a single SQL query from a concatenation of several sql query parts
let query = SQL`SELECT * FROM users WHERE name = ${req.query.username}`;
if (req.query.location) {
query.concat(SQL` AND location = ${req.query.location}`);
}
query.concat(SQL` LIMIT ${req.query.limit}`);
sequelize.query(query);
// -> SELECT * FROM users WHERE name = $1 AND location = $2 LIMIT $3`