pg-format - npm Package Compare versions

Comparing version 0.1.4 to 1.0.1

lib/index.js

@@ -45,9 +45,9 @@ // reserved Postgres words
         throw new Error('SQL identifier cannot be an object');
-    } else {
-        value = value.toString();
     }
 
+    var ident = value.toString().slice(0); // create copy
+
     // do not quote a valid, unquoted identifier
-    if (/^[a-z_][a-z0-9_$]*$/.test(value) === true && isReserved(value) === false) {
-        return value;
+    if (/^[a-z_][a-z0-9_$]*$/.test(ident) === true && isReserved(ident) === false) {
+        return ident;
     }
@@ -57,4 +57,4 @@
 
-    for (var i = 0; i < value.length; i++) {
-        var c = value[i];
+    for (var i = 0; i < ident.length; i++) {
+        var c = ident[i];
         if (c === '"') {
@@ -75,2 +75,4 @@ quoted += c + c;
 
+    var literal = null;
+
     if (value === undefined || value === null) {
@@ -93,5 +95,5 @@ return 'NULL';
     } else if (value === Object(value)) {
-        value = JSON.stringify(value);
+        literal = JSON.stringify(value);
     } else {
-        value = value.toString();
+        literal = value.toString().slice(0); // create copy
     }
@@ -102,4 +104,4 @@
 
-    for (var i = 0; i < value.length; i++) {
-        var c = value[i];
+    for (var i = 0; i < literal.length; i++) {
+        var c = literal[i];
         if (c === '\'') {
@@ -148,3 +150,3 @@ quoted += c + c;
 
-    return value.toString();
+    return value.toString().slice(0); // return copy
 }
@@ -167,3 +169,3 @@
 function formatWithArray(fmt, parameters) {
-    var i = 1;
+    var i = 0;
     var params = parameters;
@@ -197,3 +199,5 @@
 function format(fmt) {
-    return formatWithArray(fmt, arguments);
+    var args = Array.prototype.slice.call(arguments);
+    args = args.slice(1); // first argument is fmt
+    return formatWithArray(fmt, args);
 }
@@ -200,0 +204,0 @@

package.json

@@ -7,5 +7,6 @@ {
     "name": "pg-format",
+    "license": "MIT",
     "homepage": "https://github.com/datalanche/node-pg-format",
     "description": "Node.js implementation of PostgreSQL's format() to safely create dynamic SQL queries.",
-    "version": "0.1.4",
+    "version": "1.0.1",
     "repository": {
@@ -19,10 +20,4 @@ "type": "git",
     },
-    "licenses": [
-        {
-            "type": "MIT",
-            "url": "https://github.com/datalanche/node-pg-format/raw/master/LICENSE"
-        }
-    ],
     "engines": {
-        "node": ">=0.10"
+        "node": ">=4.0"
     },
@@ -32,5 +27,8 @@ "dependencies": {
     "devDependencies": {
-        "mocha": "*",
-        "should": "*"
+        "mocha": "2.3.3",
+        "should": "7.1.1"
+    },
+    "scripts": {
+        "test": "node ./node_modules/mocha/bin/mocha"
     }
 }

README.md

 node-pg-format
 ==============
 
-Node.js implementation of [PostgreSQL format()](http://www.postgresql.org/docs/9.3/static/functions-string.html#FUNCTIONS-STRING-FORMAT) to safely create dynamic SQL queries. SQL identifiers and literals are escaped to help prevent SQL injection. The behavior is equivalent to [PostgreSQL format()](http://www.postgresql.org/docs/9.3/static/functions-string.html#FUNCTIONS-STRING-FORMAT) except when handling Javascript arrays and objects which is explained [below](#arrobject).
+Node.js implementation of [PostgreSQL format()](http://www.postgresql.org/docs/9.3/static/functions-string.html#FUNCTIONS-STRING-FORMAT) to safely create dynamic SQL queries. SQL identifiers and literals are escaped to help prevent SQL injection. The behavior is equivalent to [PostgreSQL format()](http://www.postgresql.org/docs/9.3/static/functions-string.html#FUNCTIONS-STRING-FORMAT). This module also supports Node buffers, arrays, and objects which is explained [below](#arrobject).
 
@@ -41,3 +41,3 @@ ## Install
 ### format.ident(input)
-Returns the input as an escaped SQL identifier string. ```undefined```, ```null```, arrays, and objects will throw an error.
+Returns the input as an escaped SQL identifier string. ```undefined```, ```null```, and objects will throw an error.
 
@@ -53,4 +53,7 @@ ### format.literal(input)
 
+## <a name="buffer"></a> Node Buffers
+Node buffers can be used for literals (```%L```) and strings (```%s```), and will be converted to [PostgreSQL bytea hex format](http://www.postgresql.org/docs/9.3/static/datatype-binary.html).
+
 ## <a name="arrobject"></a> Arrays and Objects
-Javascript objects can be used for literals (```%L```) and strings (```%s```), but not identifiers (```%I```). For arrays, each element is escaped when appropriate and concatenated to a comma-delimited string. For objects, ```JSON.stringify()``` is called and the resulting string is escaped if appropriate. See the example below.
+For arrays, each element is escaped when appropriate and concatenated to a comma-delimited string. For objects, ```JSON.stringify()``` is called and the resulting string is escaped if appropriate. Objects can be used for literals (```%L```) and strings (```%s```), but not identifiers (```%I```). See the example below.
 
@@ -66,1 +69,8 @@ ```js
 ```
+
+## Testing
+
+```
+npm install
+npm test
+```

test/index.js

@@ -5,3 +5,4 @@ //
 var assert = require('assert');
-var format = require('../lib');
+var format = require(__dirname + '/../lib');
+var should = require('should');
 
@@ -44,2 +45,36 @@ var testDate = new Date(Date.UTC(2012, 11, 14, 13, 6, 43, 152));
 
+describe('format.withArray(fmt, args)', function() {
+    describe('%s', function() {
+        it('should format as a simple string', function() {
+            format.withArray('some %s here', [ 'thing' ]).should.equal('some thing here');
+            format.withArray('some %s thing %s', [ 'long', 'here' ]).should.equal('some long thing here');
+        });
+    });
+
+    describe('%%', function() {
+        it('should format as %', function() {
+            format.withArray('some %%', [ 'thing' ]).should.equal('some %');
+        });
+
+        it('should not eat args', function() {
+            format.withArray('just %% a %s', [ 'test' ]).should.equal('just % a test');
+            format.withArray('just %% a %s %s %s', [ 'test', 'again', 'and again' ]).should.equal('just % a test again and again');
+        });
+    });
+
+    describe('%I', function() {
+        it('should format as an identifier', function() {
+            format.withArray('some %I', [ 'foo/bar/baz' ]).should.equal('some "foo/bar/baz"');
+            format.withArray('some %I and %I', [ 'foo/bar/baz', '#hey' ]).should.equal('some "foo/bar/baz" and "#hey"');
+        });
+    });
+
+    describe('%L', function() {
+        it('should format as a literal', function() {
+            format.withArray('%L', [ "Tobi's" ]).should.equal("'Tobi''s'");
+            format.withArray('%L %L', [ "Tobi's", "birthday" ]).should.equal("'Tobi''s' 'birthday'");
+        });
+    });
+});
+
 describe('format.string(val)', function() {
@@ -46,0 +81,0 @@ it('should coerce to a string', function() {

New alerts

License Policy Violation

License

This package is not allowed per your license policy. Review the package's license to ensure compliance.

Found 1 instance in 1 package

Dynamic require

Supply chain risk

Dynamic require can indicate the package is performing dangerous or unsafe dynamic code execution.

Found 1 instance in 1 package

Fixed alerts

License Policy Violation

License

This package is not allowed per your license policy. Review the package's license to ensure compliance.

Found 1 instance in 1 package

No v1

Quality

Package is not semver >=1. This means it is not stable and does not support ^ ranges.

Found 1 instance in 1 package

Improved metrics

Total package byte prevSize

20999

increased by9.88%

Lines of code

472

increased by7.27%

Number of low quality alerts

0

decreased by-100%

Number of lines in readme file

73

increased by14.06%

Worsened metrics

Number of low supply chain risk alerts

2

increased by100%

No dependency changes