@nutshelllabs/sql-tag
Advanced tools
Prevent SQL injection vulnerabilities by parameterizing your queries with this simple template tag helper.
pg libraryWhile this library is nice, you probably don't need it. It's primary purpose is to prevent SQL injection vulnerabilities when writing sql. The pg library supports parameterized queries, but you need to manage the parameters yourself. This library provides an ergonomic template tag to do this work for you, however most other libraries for working with a database already do this. If you find yourself in the unique situation where you're writing some SQL, and don't want to switch to a another database client like slonik or postgres-js, then this library might be for you.
Example:
import { sql, toQuery } from "@nutshelllabs/sql-tag";
const userId = 123;
const userName = "john";
// Use tagged template like this
const sqlStatement = sql`SELECT * FROM users WHERE id = ${userId} AND name = ${userName}`
const results = await client.query(toQuery(query));
This method is the main entry point for the library. It takes a template literal and returns an object contain string parts and parameters. See the basic example above.
The most important thing about this is that you can nest values, and they will be "flattened" into the final query.
const whereClause1 = sql`id = ${userId}`;
const query = sql`SELECT * FROM users WHERE ${whereClause1}`;
const { text, values } = toQuery(query);
console.log(text); // SELECT * FROM users WHERE id = $1
console.log(values); // [userId]
This function will take a SQLFragment object and return an object compatible with pg's query method. Specifically it will match the QueryConfig type described here.
This function "renders" the string parts by adding in all the $1, $2, etc. placeholders in the right places. There is no deduplication of params, so if the same value occurs multiple times in the parameters, it will be added multiple times.
To support existing legacy use cases, this function will also accept a list of parameters that already have placeholders.
const query = sql`SELECT * FROM users WHERE id = ${userId} && name = $1`;
const { text, values } = toQuery(query, ["john"]);
console.log(text); // SELECT * FROM users WHERE id = $2 && name = $1
console.log(values); // ["john", userId]
This will allow you to keep any existing code that works with parameters intact, but still use the sql tag to write SQL queries to add more parameters. IMPORTANT: this library doesn't check the query & params to make sure they line up, so you'll need to ensure that the number of existing placeholders match the number of parameters on your own.
A simple helper to escape double quotes in identifiers.
const tableName = "users";
const columnName = "email";
const sqlStatement = sql`SELECT ${identifier(columnName)} FROM ${identifier(tableName)}`;
const { text, values } = toQuery(sqlStatement);
console.log(text); // SELECT "email" FROM "users"
console.log(values); // []
A helper to escape single quotes in literals.
const columnName = "email";
const sqlStatement = sql`SELECT ${literal(columnName)} FROM users`;
const { text, values } = toQuery(sqlStatement);
console.log(text); // SELECT 'email' FROM users
console.log(values); // []
This function enables you to join multiple fragments together, similar to Array.prototype.join().
const clauses = [
sql`id = ${userId}`,
sql`name = ${userName}`,
];
const clauses = join(clauses, sql` AND `);
const query = sql`SELECT * FROM users WHERE ${clauses}`;
const { text, values } = toQuery(query);
console.log(text); // SELECT * FROM users WHERE id = $1 AND name = $2
console.log(values); // [userId, userName]
IMPORTANT: This is an escape hatch for writing unsafe SQL queries. Any string created in raw() will be inlined into the final query without modification or escaping.
const userInput = "; DROP TABLE users; --";
const query = sql`SELECT * FROM users WHERE ${raw(userInput)}`;
const { text, values } = toQuery(query);
console.log(text); // SELECT * FROM users WHERE ; DROP TABLE users; --
console.log(values); // []
FAQs
A template tag helper for writing SQL queries in TypeScript
The npm package @nutshelllabs/sql-tag receives a total of 0 weekly downloads. As such, @nutshelllabs/sql-tag popularity was classified as not popular.
We found that @nutshelllabs/sql-tag demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Research
GemStuffer abuses RubyGems as an exfiltration channel, packaging scraped UK council portal data into junk gems published from new accounts.
Company News
Socket was named to the Rising in Cyber 2026 list, recognizing 30 private cybersecurity startups selected by CISOs and security executives.
Research
Socket detected 84 compromised TanStack npm package artifacts modified with suspected CI credential-stealing malware.