openbase logo
openbase logo
CategoriesLeaderboard
ps

pg-sql

by Caleb Meredith
1.1.0 (see all)

Create SQL for Postgres in a safe and composable fashion with the power of template strings.

npm
GitHub
CDN

Overview

DocumentationTutorialsReviewsMaintenanceDependenciesVersionsAlternatives
Showing:

Popularity

Downloads/wk

3.6K

GitHub Stars

35

Maintenance

Last Commit

5yrs ago

Contributors

0

Package

Dependencies

1

License

MIT

Type Definitions

Built-In

Tree-Shakeable

No?

Categories

Reviews

Be the first to rate

Readme

pg-sql

Create SQL for Postgres in a safe and composable fashion with the power of template strings.

import { sql } from 'pg-sql'

const tableName = 'user'
const id = 10
const query = sql`select * from ${sql.ident(tableName)} where id = ${id}`

console.log(query)

// -> { text: 'select * from "user" where id = $1', values: [10] }

This approach makes it impossible for developers to accidently introduce SQL injection vulnerabilities. The only way to inject raw SQL is if your developer writes it in the template string, or a developer wraps arbitrary input with the sql.raw function.

You can also easily compose queries:

import { sql } from 'pg-sql'

const var1 = 'foo'
const var2 = 'bar'
const var3 = 'baz'

const expression = sql`(${var1} || ${var2})`
const query = sql`select ${expression} || ${var3}`

console.log(query)

// -> { text: 'select ($1 || $2) || $3', values: ['foo', 'bar', 'baz'] }

Queries created with the sql template string tag are ready to be used with the pg package as they are compatible with the prepared query object format. Just pass the query directly in like so:

pg.query(sql`select * from user where id = ${id}`).then(({ rows }) => console.log(rows))

API

The API of this module is fairly simple, but this is where some of its power comes from.

sql`...`

A template string tag which interpolates all values as placeholders unless they are escaped with a function from this package such as sql.ident or sql.raw.

Example:

sql`select * from user where id = ${id}`

sql.ident(...names)

Creates a Postgres identifier. A qualified identifier will be created if more than one name is passed. If a non-string value is used for a name, such as a symbol, a local identifier will be generated.

Examples:

sql`select * from ${sql.ident('user')}`
// -> 'select * from "user"'

sql`select * from ${sql.ident('schema', 'user')}`
// -> 'select * from "schema"."user"'

const fromIdent = Symbol()

sql`select * from user as ${sql.ident(fromIdent)}`
// -> 'select * from user as __local_0__'

sql.raw(text)

Use a string of text directly in the SQL. Helpful if you need to escape the constraints of this library.

Warning: If you use arbitrary user generated input anywhere inside the text you pass to sql.raw, you will have a SQL injection vulnerability. Try not to use sql.raw unless absolutely necessary.

Example:

sql`select * from user where id ${sql.raw('=')} 5`
// -> 'select * from user where id = 5'

sql.join(queries, seperator?)

Joins an array of SQL queries together with an optional seperator. Works similarly to Array#join.

Example:

sql`select ${sql.join([sql.query`id`, sql.query`name`], ', ')} from user`
// -> 'select id, name from user'

Thanks

Enjoy the library? Want to see what the author is up to next? Follow me on Twitter @calebmer.

Rate & Review

Great Documentation0
Easy to Use0
Performant0
Highly Customizable0
Bleeding Edge0
Responsive Maintainers0
Poor Documentation0
Hard to Use0
Slow0
Buggy0
Abandoned0
Unwelcoming Community0
100
No reviews found
Be the first to rate

Alternatives

No alternatives found

Tutorials

No tutorials found
Add a tutorial