sql-assert
v1.0.4
Published
Assert identifiers (e.g. table/view names) before using them in SQL statements.
Downloads
16
Maintainers
Readme
SQL Assert
Assert identifiers (e.g. table/view names) before using them in SQL statements.
Installation
npm install sql-assert --save
Usage
Standalone
import { simpleSqlName, qualifiedSqlName, noop } from "sql-assert";
// returns a valid SQL name or throws an error
const stmt1 = `select count(*) from ${simpleSqlName(tableName)}`;
const stmt2 = `select count(*) from ${qualifiedSqlName(tableName)}`;
// no operation, returns original value
// SQL injection is possible, e.g., if `tableName` is a function parameter
const stmt3 = `select count(*) from ${noop(tableName)}`;
With sql-template-tag
import sql, { raw } from "sql-template-tag";
import { simpleSqlName, qualifiedSqlName } from "sql-assert";
// throws an error if tableName or columnName is not syntactically valid
// columnValue is a bind variable, hence no SQL injection is possible
const query = sql`select count(*)
from ${raw(qualifiedSqlName(tableName))}
where ${raw(simpleSqlName(columnName))} = ${columnValue}`;
License
sql-assert is licensed under the Apache License, Version 2.0. You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0.