@capriza/safe-sql

safe-sql

Protect your code from accidental SQL injection vulnerabilities by using the SQL template tag on raw SQL queries with Sequelize.

Provides the best protection against accidental SQL injection when combined with the use of https://github.com/capriza/eslint-plugin-safe-sql.

Installation

$ npm install @capriza/safe-sql

Usage

// the wrong way - potential vulnerability
sequelize.query(`SELECT * FROM users WHERE name = ${req.query.username}`);

// the right way - using bind
sequelize.query(`SELECT * FROM users WHERE name = $1`, {bind: [req.query.username]});

// the best way - using safe-sql
const SQL = require("safe-sql");
sequelize.query(SQL`SELECT * FROM users WHERE name = ${req.query.username}`);

concat

The concat method enables building a single SQL query from a concatenation of several sql query parts

let query = SQL`SELECT * FROM users WHERE name = ${req.query.username}`;
if (req.query.location) {
  query.concat(SQL` AND location = ${req.query.location}`);
}
query.concat(SQL` LIMIT ${req.query.limit}`);
sequelize.query(query);
// -> SELECT * FROM users WHERE name = $1 AND location = $2 LIMIT $3`