Security News
Cloudflare Adds Security.txt Setup Wizard
Cloudflare has launched a setup wizard allowing users to easily create and manage a security.txt file for vulnerability disclosure on their websites.
The mssql npm package is a Microsoft SQL Server client for Node.js. It allows you to connect to SQL Server databases, execute queries, and manage transactions. It supports both Promises and async/await syntax, making it versatile for different coding styles.
Connecting to a SQL Server
This code demonstrates how to connect to a SQL Server database using the mssql package. You need to provide your database credentials and server information in the config object.
const sql = require('mssql');
const config = {
user: 'your_username',
password: 'your_password',
server: 'your_server',
database: 'your_database'
};
async function connectToDatabase() {
try {
let pool = await sql.connect(config);
console.log('Connected to the database');
} catch (err) {
console.error('Database connection failed: ', err);
}
}
connectToDatabase();
Executing a Query
This code demonstrates how to execute a SQL query using the mssql package. It connects to the database and runs a SELECT query on a specified table.
const sql = require('mssql');
const config = {
user: 'your_username',
password: 'your_password',
server: 'your_server',
database: 'your_database'
};
async function executeQuery() {
try {
let pool = await sql.connect(config);
let result = await pool.request().query('SELECT * FROM your_table');
console.log(result);
} catch (err) {
console.error('Query execution failed: ', err);
}
}
executeQuery();
Using Prepared Statements
This code demonstrates how to use prepared statements with the mssql package. Prepared statements are useful for executing queries with parameters, which can help prevent SQL injection attacks.
const sql = require('mssql');
const config = {
user: 'your_username',
password: 'your_password',
server: 'your_server',
database: 'your_database'
};
async function executePreparedStatement() {
try {
let pool = await sql.connect(config);
let ps = new sql.PreparedStatement(pool);
ps.input('input_parameter', sql.Int);
await ps.prepare('SELECT * FROM your_table WHERE id = @input_parameter');
let result = await ps.execute({ input_parameter: 1 });
console.log(result);
await ps.unprepare();
} catch (err) {
console.error('Prepared statement execution failed: ', err);
}
}
executePreparedStatement();
Managing Transactions
This code demonstrates how to manage transactions using the mssql package. Transactions allow you to execute a series of queries as a single unit of work, which can be committed or rolled back based on success or failure.
const sql = require('mssql');
const config = {
user: 'your_username',
password: 'your_password',
server: 'your_server',
database: 'your_database'
};
async function manageTransaction() {
try {
let pool = await sql.connect(config);
let transaction = new sql.Transaction(pool);
await transaction.begin();
let request = new sql.Request(transaction);
await request.query('INSERT INTO your_table (column1) VALUES (value1)');
await transaction.commit();
console.log('Transaction committed');
} catch (err) {
console.error('Transaction failed: ', err);
if (transaction) await transaction.rollback();
}
}
manageTransaction();
The mysql package is a client for MySQL databases. It provides similar functionalities to mssql, such as connecting to a database, executing queries, and managing transactions. However, it is specifically designed for MySQL databases.
The pg package is a PostgreSQL client for Node.js. Like mssql, it allows you to connect to a database, execute queries, and manage transactions. It is tailored for PostgreSQL databases and offers features specific to PostgreSQL.
The sqlite3 package is a client for SQLite databases. It provides functionalities for connecting to SQLite databases, executing queries, and managing transactions. Unlike mssql, it is designed for lightweight, file-based databases.
Microsoft SQL Server client for Node.js
Supported TDS drivers:
npm install mssql
const sql = require('mssql')
async () => {
try {
// make sure that any items are correctly URL encoded in the connection string
await sql.connect('mssql://username:password@localhost/database')
const result = await sql.query`select * from mytable where id = ${value}`
console.dir(result)
} catch (err) {
// ... error checks
}
}
If you're on Windows Azure, add ?encrypt=true
to your connection string. See docs to learn more.
Parts of the connection URI should be correctly URL encoded so that the URI can be parsed correctly.
const config = {
user: '...',
password: '...',
server: 'localhost', // You can use 'localhost\\instance' to connect to named instance
database: '...',
}
const sql = require('mssql')
(async function () {
try {
let pool = await sql.connect(config)
let result1 = await pool.request()
.input('input_parameter', sql.Int, value)
.query('select * from mytable where id = @input_parameter')
console.dir(result1)
// Stored procedure
let result2 = await pool.request()
.input('input_parameter', sql.Int, value)
.output('output_parameter', sql.VarChar(50))
.execute('procedure_name')
console.dir(result2)
} catch (err) {
// ... error checks
}
})()
sql.on('error', err => {
// ... error handler
})
const sql = require('mssql')
sql.on('error', err => {
// ... error handler
})
sql.connect(config).then(pool => {
// Query
return pool.request()
.input('input_parameter', sql.Int, value)
.query('select * from mytable where id = @input_parameter')
}).then(result => {
console.dir(result)
}).catch(err => {
// ... error checks
});
const sql = require('mssql')
sql.on('error', err => {
// ... error handler
})
sql.connect(config).then(pool => {
// Stored procedure
return pool.request()
.input('input_parameter', sql.Int, value)
.output('output_parameter', sql.VarChar(50))
.execute('procedure_name')
}).then(result => {
console.dir(result)
}).catch(err => {
// ... error checks
})
Native Promise is used by default. You can easily change this with sql.Promise = require('myownpromisepackage')
.
const sql = require('mssql')
sql.connect(config).then(() => {
return sql.query`select * from mytable where id = ${value}`
}).then(result => {
console.dir(result)
}).catch(err => {
// ... error checks
})
sql.on('error', err => {
// ... error handler
})
All values are automatically sanitized against sql injection. This is because it is rendered as prepared statement, and thus all limitations imposed in MS SQL on parameters apply. e.g. Column names cannot be passed/set in statements using variables.
const sql = require('mssql')
sql.connect(config, err => {
// ... error checks
// Query
new sql.Request().query('select 1 as number', (err, result) => {
// ... error checks
console.dir(result)
})
// Stored Procedure
new sql.Request()
.input('input_parameter', sql.Int, value)
.output('output_parameter', sql.VarChar(50))
.execute('procedure_name', (err, result) => {
// ... error checks
console.dir(result)
})
// Using template literal
const request = new sql.Request()
request.query(request.template`select * from mytable where id = ${value}`, (err, result) => {
// ... error checks
console.dir(result)
})
})
sql.on('error', err => {
// ... error handler
})
If you plan to work with large amount of rows, you should always use streaming. Once you enable this, you must listen for events to receive data.
const sql = require('mssql')
sql.connect(config, err => {
// ... error checks
const request = new sql.Request()
request.stream = true // You can set streaming differently for each request
request.query('select * from verylargetable') // or request.execute(procedure)
request.on('recordset', columns => {
// Emitted once for each recordset in a query
})
request.on('row', row => {
// Emitted for each row in a recordset
})
request.on('error', err => {
// May be emitted multiple times
})
request.on('done', result => {
// Always emitted as the last one
})
})
sql.on('error', err => {
// ... error handler
})
When streaming large sets of data you want to back-off or chunk the amount of data you're processing
to prevent memory exhaustion issues; you can use the Request.pause()
function to do this. Here is
an example of managing rows in batches of 15:
let rowsToProcess = [];
request.on('row', row => {
rowsToProcess.push(row);
if (rowsToProcess.length >= 15) {
request.pause();
processRows();
}
});
request.on('done', () => {
processRows();
});
function processRows() {
// process rows
rowsToProcess = [];
request.resume();
}
An important concept to understand when using this library is Connection Pooling as this library uses connection pooling extensively.
As one Node JS process is able to handle multiple requests at once, we can take advantage of this long running process to create a pool of database connections for reuse; this saves overhead of connecting to the database for each request (as would be the case in something like PHP, where one process handles one request).
With the advantages of pooling comes some added complexities, but these are mostly just conceptual and once you understand how the pooling is working, it is simple to make use of it efficiently and effectively.
To assist with pool management in your application there is the global connect()
function that is available for use. As of
v6 of this library a developer can make repeated calls to this function to obtain the global connection pool. This means you
do not need to keep track of the pool in your application (as used to be the case). If the global pool is already connected,
it will resolve to the connected pool. For example:
const sql = require('mssql')
// run a query against the global connection pool
function runQuery(query) {
// sql.connect() will return the existing global pool if it exists or create a new one if it doesn't
return sql.connect().then((pool) => {
return pool.query(query)
})
}
Here we obtain the global connection pool by running sql.connect()
and we then run the query against the pool.
We also do not close the pool after the query is executed and that is because other queries may need to be run against
this pool and closing it will add an overhead to running the query. We should only ever close the pool when our application
is finished. For example, if we are running some kind of CLI tool or a CRON job:
const sql = require('mssql')
(() => {
sql.connect().then(pool => {
return pool.query('SELECT 1')
}).then(result => {
// do something with result
}).then(() => {
return sql.close()
})
})()
Here the connection will be closed and the node process will exit once the queries and other application logic has completed. You should aim to only close the pool once in your application, when it is exiting or you know your application will never make another SQL query.
In some instances you will not want to use the connection pool, you may have multiple databases to connect to or you may have one pool for read-only operations and another pool for read-write. In this instance you will need to implement your own pool management.
That could look something like this:
const { ConnectionPool } = require('mssql')
const POOLS = {}
function createPool(config, name) {
if (getPool(name)) {
throw new Error('Pool with this name already exists')
}
return POOLS[name] = (new ConnectionPool(config)).connect()
}
function closePool(name) {
if (Object.prototype.hasOwnProperty.apply(POOLS, name)) {
const pool = POOLS[name];
delete POOLS[name];
return pool.close()
}
}
function getPool(name) {
if (Object.prototype.hasOwnProperty.apply(POOLS, name)) {
return POOLS[name]
}
}
module.exports = {
closePool,
createPool,
getPool
}
This helper file can then be used in your application to create, fetch and close your pools. As with the global pools, you should aim to only close a pool when you know it will never be needed by the application again; typically this will be when your application is shutting down.
Using a single connection pool for your application/service is recommended.
Instantiating a pool with a callback, or immediately calling .connect
, is asynchronous to ensure a connection can be
established before returning. From that point, you're able to acquire connections as normal:
const sql = require('mssql')
// async/await style:
const pool1 = new sql.ConnectionPool(config);
const pool1Connect = pool1.connect();
pool1.on('error', err => {
// ... error handler
})
async function messageHandler() {
await pool1Connect; // ensures that the pool has been created
try {
const request = pool1.request(); // or: new sql.Request(pool1)
const result = await request.query('select 1 as number')
console.dir(result)
return result;
} catch (err) {
console.error('SQL error', err);
}
}
// promise style:
const pool2 = new sql.ConnectionPool(config)
const pool2Connect = pool2.connect()
pool2.on('error', err => {
// ... error handler
})
function runStoredProcedure() {
return pool2Connect.then((pool) => {
pool.request() // or: new sql.Request(pool2)
.input('input_parameter', sql.Int, 10)
.output('output_parameter', sql.VarChar(50))
.execute('procedure_name', (err, result) => {
// ... error checks
console.dir(result)
})
}).catch(err => {
// ... error handler
})
}
Awaiting or .then
ing the pool creation is a safe way to ensure that the pool is always ready, without knowing where it
is needed first. In practice, once the pool is created then there will be no delay for the next operation.
As of v6.1.0 you can make repeat calls to ConnectionPool.connect()
and ConnectonPool.close()
without an error being
thrown, allowing for the safe use of mssql.connect().then(...)
throughout your code as well as making multiple calls to
close when your application is shutting down.
The ability to call connect()
repeatedly is intended to make pool management easier, however it is still recommended
to follow the example above where connect()
is called once and using the original resolved connection promise.
Repeatedly calling connect()
when running queries risks running into problems when close()
is called on the pool.
ES6 Tagged template literals
new sql.ConnectionPool(config).connect().then(pool => {
return pool.query`select * from mytable where id = ${value}`
}).then(result => {
console.dir(result)
}).catch(err => {
// ... error checks
})
All values are automatically sanitized against sql injection.
Most applications will only need a single ConnectionPool
that can be shared throughout the code. To aid the sharing
of a single pool this library exposes a set of functions to access a single global connection. eg:
// as part of your application's boot process
const sql = require('mssql')
const poolPromise = sql.connect()
// during your applications runtime
poolPromise.then(() => {
return sql.query('SELECT 1')
}).then(result => {
console.dir(result)
})
// when your application exits
poolPromise.then(() => {
return sql.close()
})
If you require multiple pools per application (perhaps you have many DBs you need to connect to or you want a read-only pool), then you will need to manage your pools yourself. The best way to do this is to create a shared library file that can hold references to the pools for you. For example:
const sql = require('mssql')
const pools = {}
// manage a set of pools by name (config will be required to create the pool)
// a pool will be removed when it is closed
async function getPool(name, config) {
if (!Object.prototype.hasOwnProperty.call(pools, name)) {
const pool = new sql.ConnectionPool(config)
const close = pool.close.bind(pool)
pool.close = (...args) => {
delete pools[name]
return close(...args)
}
await pool.connect()
pools[name] = pool
}
return pools[name]
}
// close all pools
function closeAll() {
return Promise.all(Object.values(pools).map((pool) => {
return pool.close()
}))
}
module.exports = {
closeAll,
getPool
}
You can then use this library file in your code to get a connected pool when you need it:
const { getPool } = require('./path/to/file')
// run a query
async function runQuery(query, config) {
// pool will always be connected when the promise has resolved - may reject if the connection config is invalid
const pool = await getPool('default', config)
const result = await pool.request().query(query)
return result
}
const config = {
user: '...',
password: '...',
server: 'localhost',
database: '...',
pool: {
max: 10,
min: 0,
idleTimeoutMillis: 30000
}
}
1433
). Don't set when connecting to named instance.15000
).15000
). NOTE: msnodesqlv8 driver doesn't support timeouts < 1 second. When passed via connection string, the key must be request timeout
false
). You can also enable streaming for each request independently (request.stream = true
). Always set to true
if you plan to work with large amount of rows.false
). For more information please see section JSON support.10
).0
).30000
).columns
array. See Handling Duplicate Column NamesComplete list of pool options can be found here.
In addition to configuration object there is an option to pass config as a connection string. Two formats of connection string are supported.
Server=localhost,1433;Database=database;User Id=username;Password=password;Encrypt=true
Driver=msnodesqlv8;Server=(local)\INSTANCE;Database=database;UID=DOMAIN\username;PWD=password;Encrypt=true
mssql://username:password@localhost:1433/database?encrypt=true
mssql://username:password@localhost/INSTANCE/database?encrypt=true&domain=DOMAIN&driver=msnodesqlv8
Default driver, actively maintained and production ready. Platform independent, runs everywhere Node.js runs. Officially supported by Microsoft.
Extra options:
conn
is the configured tedious Connection
. It can be used for attaching event handlers like in this example:require('mssql').connect(...config, beforeConnect: conn => {
conn.once('connect', err => { err ? console.error(err) : console.log('mssql connected')})
conn.once('end', err => { err ? console.error(err) : console.log('mssql disconnected')})
}})
true
).true
).7_4
, available: 7_1
, 7_2
, 7_3_A
, 7_3_B
, 7_4
).XACT_ABORT
during the initial SQL phase of a connection.More information about Tedious specific options: http://tediousjs.github.io/tedious/api-connection.html
Requires Node.js v10+ or newer. Windows only. This driver is not part of the default package and must be installed separately by npm install msnodesqlv8@^1
. To use this driver, use this require syntax: const sql = require('mssql/msnodesqlv8')
.
Extra options:
conn
is the connection configuration, that can be modified to pass extra parameters to the driver's open()
method.false
).true
).Default connection string when connecting to port:
Driver={SQL Server Native Client 11.0};Server={#{server},#{port}};Database={#{database}};Uid={#{user}};Pwd={#{password}};Trusted_Connection={#{trusted}};
Default connection string when connecting to named instance:
Driver={SQL Server Native Client 11.0};Server={#{server}\\#{instance}};Database={#{database}};Uid={#{user}};Pwd={#{password}};Trusted_Connection={#{trusted}};
Internally, each ConnectionPool
instance is a separate pool of TDS connections. Once you create a new Request
/Transaction
/Prepared Statement
, a new TDS connection is acquired from the pool and reserved for desired action. Once the action is complete, connection is released back to the pool. Connection health check is built-in so once the dead connection is discovered, it is immediately replaced with a new one.
IMPORTANT: Always attach an error
listener to created connection. Whenever something goes wrong with the connection it will emit an error and if there is no listener it will crash your application with an uncaught error.
const pool = new sql.ConnectionPool({ /* config */ })
Create a new connection pool. The initial probe connection is created to find out whether the configuration is valid.
Arguments
Example
const pool = new sql.ConnectionPool({
user: '...',
password: '...',
server: 'localhost',
database: '...'
})
pool.connect(err => {
// ...
})
Errors
ConnectionError
) - Login failed.ConnectionError
) - Connection timeout.ConnectionError
) - Database is already connected!ConnectionError
) - Already connecting to database!ConnectionError
) - Instance lookup failed.ConnectionError
) - Socket error.Close all active connections in the pool.
Example
pool.close()
const request = new sql.Request(/* [pool or transaction] */)
If you omit pool/transaction argument, global pool is used instead.
Call a stored procedure.
Arguments
returnValue
is also accessible as property of recordsets. Optional. If omitted, returns Promise.Example
const request = new sql.Request()
request.input('input_parameter', sql.Int, value)
request.output('output_parameter', sql.Int)
request.execute('procedure_name', (err, result) => {
// ... error checks
console.log(result.recordsets.length) // count of recordsets returned by the procedure
console.log(result.recordsets[0].length) // count of rows contained in first recordset
console.log(result.recordset) // first recordset from result.recordsets
console.log(result.returnValue) // procedure return value
console.log(result.output) // key/value collection of output values
console.log(result.rowsAffected) // array of numbers, each number represents the number of rows affected by executed statemens
// ...
})
Errors
RequestError
) - Message from SQL ServerRequestError
) - Cancelled.RequestError
) - Request timeout.RequestError
) - No connection is specified for that request.ConnectionError
) - Connection not yet open.ConnectionError
) - Connection is closed.TransactionError
) - Transaction has not begun.TransactionError
) - Transaction was aborted (by user or because of an error).Add an input parameter to the request.
Arguments
undefined
ans NaN
values are automatically converted to null
values.Example
request.input('input_parameter', value)
request.input('input_parameter', sql.Int, value)
JS Data Type To SQL Data Type Map
String
-> sql.NVarChar
Number
-> sql.Int
Boolean
-> sql.Bit
Date
-> sql.DateTime
Buffer
-> sql.VarBinary
sql.Table
-> sql.TVP
Default data type for unknown object is sql.NVarChar
.
You can define your own type map.
sql.map.register(MyClass, sql.Text)
You can also overwrite the default type map.
sql.map.register(Number, sql.BigInt)
Errors (synchronous)
RequestError
) - Invalid number of arguments.RequestError
) - SQL injection warning.NB: Do not use parameters @p{n}
as these are used by the internal drivers and cause a conflict.
Add an output parameter to the request.
Arguments
undefined
and NaN
values are automatically converted to null
values. Optional.Example
request.output('output_parameter', sql.Int)
request.output('output_parameter', sql.VarChar(50), 'abc')
Errors (synchronous)
RequestError
) - Invalid number of arguments.RequestError
) - SQL injection warning.Sets request to stream
mode and pulls all rows from all recordsets to a given stream.
Arguments
Example
const request = new sql.Request()
request.pipe(stream)
request.query('select * from mytable')
stream.on('error', err => {
// ...
})
stream.on('finish', () => {
// ...
})
Execute the SQL command. To execute commands like create procedure
or if you plan to work with local temporary tables, use batch instead.
Arguments
Example
const request = new sql.Request()
request.query('select 1 as number', (err, result) => {
// ... error checks
console.log(result.recordset[0].number) // return 1
// ...
})
Errors
RequestError
) - Request timeout.RequestError
) - Message from SQL ServerRequestError
) - Cancelled.RequestError
) - No connection is specified for that request.ConnectionError
) - Connection not yet open.ConnectionError
) - Connection is closed.TransactionError
) - Transaction has not begun.TransactionError
) - Transaction was aborted (by user or because of an error).const request = new sql.Request()
request.query('select 1 as number; select 2 as number', (err, result) => {
// ... error checks
console.log(result.recordset[0].number) // return 1
console.log(result.recordsets[0][0].number) // return 1
console.log(result.recordsets[1][0].number) // return 2
})
NOTE: To get number of rows affected by the statement(s), see section Affected Rows.
Execute the SQL command. Unlike query, it doesn't use sp_executesql
, so is not likely that SQL Server will reuse the execution plan it generates for the SQL. Use this only in special cases, for example when you need to execute commands like create procedure
which can't be executed with query or if you're executing statements longer than 4000 chars on SQL Server 2000. Also you should use this if you're plan to work with local temporary tables (more information here).
NOTE: Table-Valued Parameter (TVP) is not supported in batch.
Arguments
Example
const request = new sql.Request()
request.batch('create procedure #temporary as select * from table', (err, result) => {
// ... error checks
})
Errors
RequestError
) - Request timeout.RequestError
) - Message from SQL ServerRequestError
) - Cancelled.RequestError
) - No connection is specified for that request.ConnectionError
) - Connection not yet open.ConnectionError
) - Connection is closed.TransactionError
) - Transaction has not begun.TransactionError
) - Transaction was aborted (by user or because of an error).You can enable multiple recordsets in queries with the request.multiple = true
command.
Perform a bulk insert.
Arguments
sql.Table
instance.Example
const table = new sql.Table('table_name') // or temporary table, e.g. #temptable
table.create = true
table.columns.add('a', sql.Int, {nullable: true, primary: true})
table.columns.add('b', sql.VarChar(50), {nullable: false})
table.rows.add(777, 'test')
const request = new sql.Request()
request.bulk(table, (err, result) => {
// ... error checks
})
IMPORTANT: Always indicate whether the column is nullable or not!
TIP: If you set table.create
to true
, module will check if the table exists before it start sending data. If it doesn't, it will automatically create it. You can specify primary key columns by setting primary: true
to column's options. Primary key constraint on multiple columns is supported.
TIP: You can also create Table variable from any recordset with recordset.toTable()
. You can optionally specify table type name in the first argument.
Errors
RequestError
) - Table name must be specified for bulk insert.RequestError
) - Request timeout.RequestError
) - Message from SQL ServerRequestError
) - Cancelled.RequestError
) - No connection is specified for that request.ConnectionError
) - Connection not yet open.ConnectionError
) - Connection is closed.TransactionError
) - Transaction has not begun.TransactionError
) - Transaction was aborted (by user or because of an error).Cancel currently executing request. Return true
if cancellation packet was send successfully.
Example
const request = new sql.Request()
request.query('waitfor delay \'00:00:05\'; select 1 as number', (err, result) => {
console.log(err instanceof sql.RequestError) // true
console.log(err.message) // Cancelled.
console.log(err.code) // ECANCEL
// ...
})
request.cancel()
IMPORTANT: always use Transaction
class to create transactions - it ensures that all your requests are executed on one connection. Once you call begin
, a single connection is acquired from the connection pool and all subsequent requests (initialized with the Transaction
object) are executed exclusively on this connection. After you call commit
or rollback
, connection is then released back to the connection pool.
const transaction = new sql.Transaction(/* [pool] */)
If you omit connection argument, global connection is used instead.
Example
const transaction = new sql.Transaction(/* [pool] */)
transaction.begin(err => {
// ... error checks
const request = new sql.Request(transaction)
request.query('insert into mytable (mycolumn) values (12345)', (err, result) => {
// ... error checks
transaction.commit(err => {
// ... error checks
console.log("Transaction committed.")
})
})
})
Transaction can also be created by const transaction = pool.transaction()
. Requests can also be created by const request = transaction.request()
.
Aborted transactions
This example shows how you should correctly handle transaction errors when abortTransactionOnError
(XACT_ABORT
) is enabled. Added in 2.0.
const transaction = new sql.Transaction(/* [pool] */)
transaction.begin(err => {
// ... error checks
let rolledBack = false
transaction.on('rollback', aborted => {
// emited with aborted === true
rolledBack = true
})
new sql.Request(transaction)
.query('insert into mytable (bitcolumn) values (2)', (err, result) => {
// insert should fail because of invalid value
if (err) {
if (!rolledBack) {
transaction.rollback(err => {
// ... error checks
})
}
} else {
transaction.commit(err => {
// ... error checks
})
}
})
})
Begin a transaction.
Arguments
READ_COMMITTED
by default. For possible values see sql.ISOLATION_LEVEL
.Example
const transaction = new sql.Transaction()
transaction.begin(err => {
// ... error checks
})
Errors
ConnectionError
) - Connection not yet open.TransactionError
) - Transaction has already begun.Commit a transaction.
Arguments
Example
const transaction = new sql.Transaction()
transaction.begin(err => {
// ... error checks
transaction.commit(err => {
// ... error checks
})
})
Errors
TransactionError
) - Transaction has not begun.TransactionError
) - Can't commit transaction. There is a request in progress.Rollback a transaction. If the queue isn't empty, all queued requests will be Cancelled and the transaction will be marked as aborted.
Arguments
Example
const transaction = new sql.Transaction()
transaction.begin(err => {
// ... error checks
transaction.rollback(err => {
// ... error checks
})
})
Errors
TransactionError
) - Transaction has not begun.TransactionError
) - Can't rollback transaction. There is a request in progress.IMPORTANT: always use PreparedStatement
class to create prepared statements - it ensures that all your executions of prepared statement are executed on one connection. Once you call prepare
, a single connection is acquired from the connection pool and all subsequent executions are executed exclusively on this connection. After you call unprepare
, the connection is then released back to the connection pool.
const ps = new sql.PreparedStatement(/* [pool] */)
If you omit the connection argument, the global connection is used instead.
Example
const ps = new sql.PreparedStatement(/* [pool] */)
ps.input('param', sql.Int)
ps.prepare('select @param as value', err => {
// ... error checks
ps.execute({param: 12345}, (err, result) => {
// ... error checks
// release the connection after queries are executed
ps.unprepare(err => {
// ... error checks
})
})
})
IMPORTANT: Remember that each prepared statement means one reserved connection from the pool. Don't forget to unprepare a prepared statement when you've finished your queries!
You can execute multiple queries against the same prepared statement but you must unprepare the statement when you have finished using it otherwise you will cause the connection pool to run out of available connections.
TIP: You can also create prepared statements in transactions (new sql.PreparedStatement(transaction)
), but keep in mind you can't execute other requests in the transaction until you call unprepare
.
Add an input parameter to the prepared statement.
Arguments
Example
ps.input('input_parameter', sql.Int)
ps.input('input_parameter', sql.VarChar(50))
Errors (synchronous)
PreparedStatementError
) - Invalid number of arguments.PreparedStatementError
) - SQL injection warning.Add an output parameter to the prepared statement.
Arguments
Example
ps.output('output_parameter', sql.Int)
ps.output('output_parameter', sql.VarChar(50))
Errors (synchronous)
PreparedStatementError
) - Invalid number of arguments.PreparedStatementError
) - SQL injection warning.Prepare a statement.
Arguments
Example
const ps = new sql.PreparedStatement()
ps.prepare('select @param as value', err => {
// ... error checks
})
Errors
ConnectionError
) - Connection not yet open.PreparedStatementError
) - Statement is already prepared.TransactionError
) - Transaction has not begun.Execute a prepared statement.
Arguments
Example
const ps = new sql.PreparedStatement()
ps.input('param', sql.Int)
ps.prepare('select @param as value', err => {
// ... error checks
ps.execute({param: 12345}, (err, result) => {
// ... error checks
console.log(result.recordset[0].value) // return 12345
console.log(result.rowsAffected) // Returns number of affected rows in case of INSERT, UPDATE or DELETE statement.
ps.unprepare(err => {
// ... error checks
})
})
})
You can also stream executed request.
const ps = new sql.PreparedStatement()
ps.input('param', sql.Int)
ps.prepare('select @param as value', err => {
// ... error checks
ps.stream = true
const request = ps.execute({param: 12345})
request.on('recordset', columns => {
// Emitted once for each recordset in a query
})
request.on('row', row => {
// Emitted for each row in a recordset
})
request.on('error', err => {
// May be emitted multiple times
})
request.on('done', result => {
// Always emitted as the last one
console.log(result.rowsAffected) // Returns number of affected rows in case of INSERT, UPDATE or DELETE statement.
ps.unprepare(err => {
// ... error checks
})
})
})
TIP: To learn more about how number of affected rows works, see section Affected Rows.
Errors
PreparedStatementError
) - Statement is not prepared.RequestError
) - Request timeout.RequestError
) - Message from SQL ServerRequestError
) - Cancelled.Unprepare a prepared statement.
Arguments
Example
const ps = new sql.PreparedStatement()
ps.input('param', sql.Int)
ps.prepare('select @param as value', err => {
// ... error checks
ps.unprepare(err => {
// ... error checks
})
})
Errors
PreparedStatementError
) - Statement is not prepared.Before you can start using CLI, you must install mssql
globally with npm install mssql -g
. Once you do that you will be able to execute mssql
command.
Setup
Create a .mssql.json
configuration file (anywhere). Structure of the file is the same as the standard configuration object.
{
"user": "...",
"password": "...",
"server": "localhost",
"database": "..."
}
Example
echo "select * from mytable" | mssql /path/to/config
Results in:
[[{"username":"patriksimek","password":"tooeasy"}]]
You can also query for multiple recordsets.
echo "select * from mytable; select * from myothertable" | mssql
Results in:
[[{"username":"patriksimek","password":"tooeasy"}],[{"id":15,"name":"Product name"}]]
If you omit config path argument, mssql will try to load it from current working directory.
node-mssql has built-in serializer for Geography and Geometry CLR data types.
select geography::STGeomFromText('LINESTRING(-122.360 47.656, -122.343 47.656 )', 4326)
select geometry::STGeomFromText('LINESTRING (100 100 10.3 12, 20 180, 180 180)', 0)
Results in:
{ srid: 4326,
version: 1,
points: [ { x: 47.656, y: -122.36 }, { x: 47.656, y: -122.343 } ],
figures: [ { attribute: 1, pointOffset: 0 } ],
shapes: [ { parentOffset: -1, figureOffset: 0, type: 2 } ],
segments: [] }
{ srid: 0,
version: 1,
points:
[ { x: 100, y: 100, z: 10.3, m: 12 },
{ x: 20, y: 180, z: NaN, m: NaN },
{ x: 180, y: 180, z: NaN, m: NaN } ],
figures: [ { attribute: 1, pointOffset: 0 } ],
shapes: [ { parentOffset: -1, figureOffset: 0, type: 2 } ],
segments: [] }
Supported on SQL Server 2008 and later. You can pass a data table as a parameter to stored procedure. First, we have to create custom type in our database.
CREATE TYPE TestType AS TABLE ( a VARCHAR(50), b INT );
Next we will need a stored procedure.
CREATE PROCEDURE MyCustomStoredProcedure (@tvp TestType readonly) AS SELECT * FROM @tvp
Now let's go back to our Node.js app.
const tvp = new sql.Table() // You can optionally specify table type name in the first argument.
// Columns must correspond with type we have created in database.
tvp.columns.add('a', sql.VarChar(50))
tvp.columns.add('b', sql.Int)
// Add rows
tvp.rows.add('hello tvp', 777) // Values are in same order as columns.
You can send table as a parameter to stored procedure.
const request = new sql.Request()
request.input('tvp', tvp)
request.execute('MyCustomStoredProcedure', (err, result) => {
// ... error checks
console.dir(result.recordsets[0][0]) // {a: 'hello tvp', b: 777}
})
TIP: You can also create Table variable from any recordset with recordset.toTable()
. You can optionally specify table type name in the first argument.
If you're performing INSERT
, UPDATE
or DELETE
in a query, you can read number of affected rows. The rowsAffected
variable is an array of numbers. Each number represents number of affected rows by a single statement.
Example using Promises
const request = new sql.Request()
request.query('update myAwesomeTable set awesomness = 100').then(result => {
console.log(result.rowsAffected)
})
Example using callbacks
const request = new sql.Request()
request.query('update myAwesomeTable set awesomness = 100', (err, result) => {
console.log(result.rowsAffected)
})
Example using streaming
const request = new sql.Request()
request.stream = true
request.query('update myAwesomeTable set awesomness = 100')
request.on('done', result => {
console.log(result.rowsAffected)
})
SQL Server 2016 introduced built-in JSON serialization. By default, JSON is returned as a plain text in a special column named JSON_F52E2B61-18A1-11d1-B105-00805F49916B
.
Example
SELECT
1 AS 'a.b.c',
2 AS 'a.b.d',
3 AS 'a.x',
4 AS 'a.y'
FOR JSON PATH
Results in:
recordset = [ { 'JSON_F52E2B61-18A1-11d1-B105-00805F49916B': '{"a":{"b":{"c":1,"d":2},"x":3,"y":4}}' } ]
You can enable built-in JSON parser with config.parseJSON = true
. Once you enable this, recordset will contain rows of parsed JS objects. Given the same example, result will look like this:
recordset = [ { a: { b: { c: 1, d: 2 }, x: 3, y: 4 } } ]
IMPORTANT: In order for this to work, there must be exactly one column named JSON_F52E2B61-18A1-11d1-B105-00805F49916B
in the recordset.
More information about JSON support can be found in official documentation.
If your queries contain output columns with identical names, the default behaviour of mssql
will only return column metadata for the last column with that name. You will also not always be able to re-assemble the order of output columns requested.
Default behaviour:
const request = new sql.Request()
request
.query("select 'asdf' as name, 'qwerty' as other_name, 'jkl' as name")
.then(result => {
console.log(result)
});
Results in:
{
recordsets: [
[ { name: [ 'asdf', 'jkl' ], other_name: 'qwerty' } ]
],
recordset: [ { name: [ 'asdf', 'jkl' ], other_name: 'qwerty' } ],
output: {},
rowsAffected: [ 1 ]
}
You can use the arrayRowMode
configuration parameter to return the row values as arrays and add a separate array of column values. arrayRowMode
can be set globally during the initial connection, or per-request.
const request = new sql.Request()
request.arrayRowMode = true
request
.query("select 'asdf' as name, 'qwerty' as other_name, 'jkl' as name")
.then(result => {
console.log(result)
});
Results in:
{
recordsets: [ [ [ 'asdf', 'qwerty', 'jkl' ] ] ],
recordset: [ [ 'asdf', 'qwerty', 'jkl' ] ],
output: {},
rowsAffected: [ 1 ],
columns: [
[
{
index: 0,
name: 'name',
length: 4,
type: [sql.VarChar],
scale: undefined,
precision: undefined,
nullable: false,
caseSensitive: false,
identity: false,
readOnly: true
},
{
index: 1,
name: 'other_name',
length: 6,
type: [sql.VarChar],
scale: undefined,
precision: undefined,
nullable: false,
caseSensitive: false,
identity: false,
readOnly: true
},
{
index: 2,
name: 'name',
length: 3,
type: [sql.VarChar],
scale: undefined,
precision: undefined,
nullable: false,
caseSensitive: false,
identity: false,
readOnly: true
}
]
]
}
Streaming Duplicate Column Names
When using arrayRowMode
with stream
enabled, the output from the recordset
event (as described in Streaming) is returned as an array of column metadata, instead of as a keyed object. The order of the column metadata provided by the recordset
event will match the order of row values when arrayRowMode
is enabled.
Default behaviour (without arrayRowMode
):
const request = new sql.Request()
request.stream = true
request.query("select 'asdf' as name, 'qwerty' as other_name, 'jkl' as name")
request.on('recordset', recordset => console.log(recordset))
Results in:
{
name: {
index: 2,
name: 'name',
length: 3,
type: [sql.VarChar],
scale: undefined,
precision: undefined,
nullable: false,
caseSensitive: false,
identity: false,
readOnly: true
},
other_name: {
index: 1,
name: 'other_name',
length: 6,
type: [sql.VarChar],
scale: undefined,
precision: undefined,
nullable: false,
caseSensitive: false,
identity: false,
readOnly: true
}
}
With arrayRowMode
:
const request = new sql.Request()
request.stream = true
request.arrayRowMode = true
request.query("select 'asdf' as name, 'qwerty' as other_name, 'jkl' as name")
request.on('recordset', recordset => console.log(recordset))
Results in:
[
{
index: 0,
name: 'name',
length: 4,
type: [sql.VarChar],
scale: undefined,
precision: undefined,
nullable: false,
caseSensitive: false,
identity: false,
readOnly: true
},
{
index: 1,
name: 'other_name',
length: 6,
type: [sql.VarChar],
scale: undefined,
precision: undefined,
nullable: false,
caseSensitive: false,
identity: false,
readOnly: true
},
{
index: 2,
name: 'name',
length: 3,
type: [sql.VarChar],
scale: undefined,
precision: undefined,
nullable: false,
caseSensitive: false,
identity: false,
readOnly: true
}
]
There are 4 types of errors you can handle:
Those errors are initialized in node-mssql module and its original stack may be cropped. You can always access original error with err.originalError
.
SQL Server may generate more than one error for one request so you can access preceding errors with err.precedingErrors
.
Each known error has name
, code
and message
properties.
Name | Code | Message |
---|---|---|
ConnectionError | ELOGIN | Login failed. |
ConnectionError | ETIMEOUT | Connection timeout. |
ConnectionError | EDRIVER | Unknown driver. |
ConnectionError | EALREADYCONNECTED | Database is already connected! |
ConnectionError | EALREADYCONNECTING | Already connecting to database! |
ConnectionError | ENOTOPEN | Connection not yet open. |
ConnectionError | EINSTLOOKUP | Instance lookup failed. |
ConnectionError | ESOCKET | Socket error. |
ConnectionError | ECONNCLOSED | Connection is closed. |
TransactionError | ENOTBEGUN | Transaction has not begun. |
TransactionError | EALREADYBEGUN | Transaction has already begun. |
TransactionError | EREQINPROG | Can't commit/rollback transaction. There is a request in progress. |
TransactionError | EABORT | Transaction has been aborted. |
RequestError | EREQUEST | Message from SQL Server. Error object contains additional details. |
RequestError | ECANCEL | Cancelled. |
RequestError | ETIMEOUT | Request timeout. |
RequestError | EARGS | Invalid number of arguments. |
RequestError | EINJECT | SQL injection warning. |
RequestError | ENOCONN | No connection is specified for that request. |
PreparedStatementError | EARGS | Invalid number of arguments. |
PreparedStatementError | EINJECT | SQL injection warning. |
PreparedStatementError | EALREADYPREPARED | Statement is already prepared. |
PreparedStatementError | ENOTPREPARED | Statement is not prepared. |
SQL errors (RequestError
with err.code
equal to EREQUEST
) contains additional details.
To receive informational messages generated by PRINT
or RAISERROR
commands use:
const request = new sql.Request()
request.on('info', info => {
console.dir(info)
})
request.query('print \'Hello world.\';', (err, result) => {
// ...
})
Structure of informational message:
Recordset metadata are accessible through the recordset.columns
property.
const request = new sql.Request()
request.query('select convert(decimal(18, 4), 1) as first, \'asdf\' as second', (err, result) => {
console.dir(result.recordset.columns)
console.log(result.recordset.columns.first.type === sql.Decimal) // true
console.log(result.recordset.columns.second.type === sql.VarChar) // true
})
Columns structure for example above:
{
first: {
index: 0,
name: 'first',
length: 17,
type: [sql.Decimal],
scale: 4,
precision: 18,
nullable: true,
caseSensitive: false
identity: false
readOnly: true
},
second: {
index: 1,
name: 'second',
length: 4,
type: [sql.VarChar],
nullable: false,
caseSensitive: false
identity: false
readOnly: true
}
}
You can define data types with length/precision/scale:
request.input("name", sql.VarChar, "abc") // varchar(3)
request.input("name", sql.VarChar(50), "abc") // varchar(50)
request.input("name", sql.VarChar(sql.MAX), "abc") // varchar(MAX)
request.output("name", sql.VarChar) // varchar(8000)
request.output("name", sql.VarChar, "abc") // varchar(3)
request.input("name", sql.Decimal, 155.33) // decimal(18, 0)
request.input("name", sql.Decimal(10), 155.33) // decimal(10, 0)
request.input("name", sql.Decimal(10, 2), 155.33) // decimal(10, 2)
request.input("name", sql.DateTime2, new Date()) // datetime2(7)
request.input("name", sql.DateTime2(5), new Date()) // datetime2(5)
List of supported data types:
sql.Bit
sql.BigInt
sql.Decimal ([precision], [scale])
sql.Float
sql.Int
sql.Money
sql.Numeric ([precision], [scale])
sql.SmallInt
sql.SmallMoney
sql.Real
sql.TinyInt
sql.Char ([length])
sql.NChar ([length])
sql.Text
sql.NText
sql.VarChar ([length])
sql.NVarChar ([length])
sql.Xml
sql.Time ([scale])
sql.Date
sql.DateTime
sql.DateTime2 ([scale])
sql.DateTimeOffset ([scale])
sql.SmallDateTime
sql.UniqueIdentifier
sql.Variant
sql.Binary
sql.VarBinary ([length])
sql.Image
sql.UDT
sql.Geography
sql.Geometry
To setup MAX length for VarChar
, NVarChar
and VarBinary
use sql.MAX
length. Types sql.XML
and sql.Variant
are not supported as input parameters.
This module has built-in SQL injection protection. Always use parameters or tagged template literals to pass sanitized values to your queries.
const request = new sql.Request()
request.input('myval', sql.VarChar, '-- commented')
request.query('select @myval as myval', (err, result) => {
console.dir(result)
})
config.options.tdsVersion = '7_1'
(issue)tarn.js
so _poolDestroy
can take advantage of being a promiseConnectionPool.close()
now returns a promise / callbacks will be executed once closing of the pool is complete; you must make
sure that connections are properly released back to the pool otherwise the pool may fail to close.options.encrypt
is now true
by defaultTYPES.Null
has now been removedconst conn = sql.connect(); conn.close()
will be the same as sql.close()
sql.connect()
) will return the current global connection if it exists (rather than throwing an error)replaceInput
and replaceOutput
insteadTransaction
s will now throw an errorConnectionPool
now reports if it is healthy or not (ConnectionPool.healthy
) which can be used to determine if the pool is able
to create new connections or notnode-pool
to tarn.js
ConnectionPool.pool.size
deprecated, use ConnectionPool.size
insteadConnectionPool.pool.available
deprecated, use ConnectionPool.available
insteadConnectionPool.pool.pending
deprecated, use ConnectionPool.pending
insteadConnectionPool.pool.borrowed
deprecated, use ConnectionPool.borrowed
insteadConnection
was renamed to ConnectionPool
.msnodesqlv8
driver, use const sql = require('mssql/msnodesqlv8')
syntax.result
object only. This object contains recordsets
(array of recordsets), recordset
(first recordset from array of recordsets), rowsAffected
(array of numbers representig number of affected rows by each insert/update/delete statement) and output
(key/value collection of output parameters' values).multiple: true
was removed.Transaction
and PreparedStatement
internal queues was removed.connect
and close
events.tds
and msnodesql
drivers.FAQs
Microsoft SQL Server client for Node.js.
The npm package mssql receives a total of 637,789 weekly downloads. As such, mssql popularity was classified as popular.
We found that mssql demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 4 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
Cloudflare has launched a setup wizard allowing users to easily create and manage a security.txt file for vulnerability disclosure on their websites.
Security News
The Socket Research team breaks down a malicious npm package targeting the legitimate DOMPurify library. It uses obfuscated code to hide that it is exfiltrating browser and crypto wallet data.
Security News
ENISA’s 2024 report highlights the EU’s top cybersecurity threats, including rising DDoS attacks, ransomware, supply chain vulnerabilities, and weaponized AI.