This module provides a method for writing sql queries that is as safe as it possibly can be from SQL injection. It is part of the moped suite of utilities for creating composable configs for building node.js and react apps.
This module provides a method for writing sql queries that is as safe as it possibly can be from SQL injection. It is part of the moped suite of utilities for creating composable configs for building node.js and react apps.
This module is designed to be used in conjunction with @moped/db-pg, but I intend to make it portable to any other SQL databases supported by moped.
yarn add @moped/sql
import { sql } from 'pg-sql'
const tableName = 'user'
const id = 10
const query = sql`select * from ${sql.ident(tableName)} where id = ${id}`
sql`...` A template string tag which interpolates all values as placeholders unless they are escaped with a function from this package such as sql.ident or sql.__dangerous__rawValue.
Example:
sql`select * from user where id = ${id}`
sql.ident(...names)Creates a Postgres identifier. A qualified identifier will be created if more than one name is passed. If a non-string value is used for a name, such as a symbol, a local identifier will be generated.
Examples:
sql`select * from ${sql.ident('user')}`
// -> 'select * from "user"'
sql`select * from ${sql.ident('schema', 'user')}`
// -> 'select * from "schema"."user"'
const fromIdent = Symbol()
sql`select * from user as ${sql.ident(fromIdent)}`
// -> 'select * from user as __local_0__'
sql.__dangerous__rawValue(text)Use a string of text directly in the SQL. Helpful if you need to escape the constraints of this library.
Warning: If you use arbitrary user generated input anywhere inside the text you pass to
sql.__dangerous__rawValue, you will have a SQL injection vulnerability. Try not to usesql.__dangerous__rawValueunless absolutely necessary.
Example:
sql`select * from user where id ${sql.__dangerous__rawValue('=')} 5`
// -> 'select * from user where id = 5'
sql.join(queries, seperator?)Joins an array of SQL queries together with an optional seperator. Works similarly to Array#join.
Example:
sql`select ${sql.join([sql.query`id`, sql.query`name`], ', ')} from user`
// -> 'select id, name from user'
MIT
FAQs
This module provides a method for writing sql queries that is as safe as it possibly can be from SQL injection. It is part of the moped suite of utilities for creating composable configs for building node.js and react apps.
We found that @moped/sql demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Research
/Security News
A malicious Chrome extension steals newly created MEXC API keys, exfiltrates them to Telegram, and enables full account takeover with trading and withdrawal rights.
Security News
CVE disclosures hit a record 48,185 in 2025, driven largely by vulnerabilities in third-party WordPress plugins.
Security News
Socket CEO Feross Aboukhadijeh joins Insecure Agents to discuss CVE remediation and why supply chain attacks require a different security approach.