sql-tagged-template-literal

``sh npm install sql-tagged-template-literal`

Useful for data dumps and other "just gimme a query" tasks.

`js const userInput =Robert'); DROP TABLE Students;--

const query = sqlINSERT INTO awesome_table (sweet_column) VALUES (${userInput})

query // => INSERT INTO awesome_table (sweet_column) VALUES ('Robert\\'); DROP TABLE Students;--')`

- Unlike node-sql-template-strings, this module returns a string - Unlike sql-concat, this module isn't great at building queries dynamically

Uses the sqlstring library for escaping.

Only meant for escaping values - you shouldn't put table or column names in expressions.

`Escape mechanisms`

`$3`

`js sqlSELECT ${null} IS NULL // => SELECT NULL IS NULL`

`$3`

`js sqlSELECT ${undefined} IS NULL // => SELECT NULL IS NULL`

`$3`

`js sqlSELECT ${"what's up"} AS lulz // => SELECT 'what\\'s up' AS lulz`

`$3`

`js sqlSELECT ${13} AS totally_lucky // => SELECT 13 AS totally_lucky`

`$3`

`js sqlSELECT ${true} = ${false} // => SELECT true = false`

`$3`

MySQL has a JSON data type, after all.

`js const legitObject = { fancy: 'yes\'m' }

const jsonInsertQuery = sqlINSERT INTO document_store (json_column) VALUES (${legitObject})

jsonInsertQuery // => INSERT INTO document_store (json_column) VALUES ('{\\"fancy\\":\\"yes\\'m\\"}')`

`$3`

`js const arrayQuery = sqlWHERE name IN(${[ Alice, userInput ]})

arrayQuery // => "WHERE name IN('Alice', 'Robert\\'); DROP TABLE Students;--')"`

`js const mySet = new Set([ 1, 42 ]) sqlWHERE value IN(${ mySet })// => "WHERE value IN(1, 42)"`

`js const twoDimensionalArray = [[a, 1], [b, 2], [c, 3]] const twoDimensionalQuery = sqlINSERT INTO tablez (letter, number) VALUES ${twoDimensionalArray}

twoDimensionalQuery // => INSERT INTO tablez (letter, number) VALUES ('a', 1), ('b', 2), ('c', 3)``

License

WTFPL

sql-tagged-template-literal

``sh npm install sql-tagged-template-literal`

Useful for data dumps and other "just gimme a query" tasks.

`js const userInput =Robert'); DROP TABLE Students;--

const query = sqlINSERT INTO awesome_table (sweet_column) VALUES (${userInput})

query // => INSERT INTO awesome_table (sweet_column) VALUES ('Robert\\'); DROP TABLE Students;--')`

- Unlike node-sql-template-strings, this module returns a string - Unlike sql-concat, this module isn't great at building queries dynamically

Uses the sqlstring library for escaping.

Only meant for escaping values - you shouldn't put table or column names in expressions.

`Escape mechanisms`

`$3`

`js sqlSELECT ${null} IS NULL // => SELECT NULL IS NULL`

`$3`

`js sqlSELECT ${undefined} IS NULL // => SELECT NULL IS NULL`

`$3`

`js sqlSELECT ${"what's up"} AS lulz // => SELECT 'what\\'s up' AS lulz`

`$3`

`js sqlSELECT ${13} AS totally_lucky // => SELECT 13 AS totally_lucky`

`$3`

`js sqlSELECT ${true} = ${false} // => SELECT true = false`

`$3`

MySQL has a JSON data type, after all.

`js const legitObject = { fancy: 'yes\'m' }

const jsonInsertQuery = sqlINSERT INTO document_store (json_column) VALUES (${legitObject})

jsonInsertQuery // => INSERT INTO document_store (json_column) VALUES ('{\\"fancy\\":\\"yes\\'m\\"}')`

`$3`

`js const arrayQuery = sqlWHERE name IN(${[ Alice, userInput ]})

arrayQuery // => "WHERE name IN('Alice', 'Robert\\'); DROP TABLE Students;--')"`

`js const mySet = new Set([ 1, 42 ]) sqlWHERE value IN(${ mySet })// => "WHERE value IN(1, 42)"`

`js const twoDimensionalArray = [[a, 1], [b, 2], [c, 3]] const twoDimensionalQuery = sqlINSERT INTO tablez (letter, number) VALUES ${twoDimensionalArray}

twoDimensionalQuery // => INSERT INTO tablez (letter, number) VALUES ('a', 1), ('b', 2), ('c', 3)``

License

WTFPL