Node.js implementation of PostgreSQL's format() to safely create dynamic SQL queries.
The pg-format npm package is used to safely create SQL query strings by formatting them with user-provided data. It helps prevent SQL injection attacks by properly escaping and quoting values.
String Formatting
This feature allows you to format strings safely by escaping and quoting values. In this example, the %L placeholder is used to safely insert a literal value into the SQL query.
const format = require('pg-format');
const sql = format('SELECT * FROM users WHERE id = %L', 123);
console.log(sql); // SELECT * FROM users WHERE id = '123'Identifier Formatting
This feature allows you to safely format SQL identifiers such as table or column names. The %I placeholder is used to safely insert an identifier into the SQL query.
const format = require('pg-format');
const sql = format('SELECT %I FROM users', 'user_id');
console.log(sql); // SELECT "user_id" FROM usersArray Formatting
This feature allows you to format arrays of values safely. The %L placeholder is used to safely insert an array of literal values into the SQL query.
const format = require('pg-format');
const sql = format('SELECT * FROM users WHERE id IN (%L)', [1, 2, 3]);
console.log(sql); // SELECT * FROM users WHERE id IN ('1','2','3')Composite Formatting
This feature allows you to format composite values such as arrays of arrays. The %L placeholder is used to safely insert composite values into the SQL query.
const format = require('pg-format');
const sql = format('INSERT INTO users (name, age) VALUES %L', [['John', 30], ['Jane', 25]]);
console.log(sql); // INSERT INTO users (name, age) VALUES ('John', 30), ('Jane', 25)The sqlstring package provides SQL escape and format functions similar to pg-format. It is commonly used with MySQL but can be used with other SQL databases as well. Unlike pg-format, sqlstring is more focused on escaping and formatting for MySQL.
The node-postgres package (pg) is a PostgreSQL client for Node.js. It includes query formatting capabilities similar to pg-format, but it is a more comprehensive package that also handles database connections, query execution, and more. pg-format can be used as a standalone formatter, while node-postgres is a full-featured client.
Knex.js is a SQL query builder for Node.js that supports multiple databases including PostgreSQL. It provides a more abstracted way to build SQL queries compared to pg-format. Knex.js is useful for building complex queries programmatically, whereas pg-format is more focused on safely formatting raw SQL strings.
Node.js implementation of PostgreSQL format() to safely create dynamic SQL queries. SQL identifiers and literals are escaped to help prevent SQL injection. The behavior is equivalent to PostgreSQL format() except when handling Javascript arrays and objects which is explained below.
npm install pg-format
var format = require('pg-format');
var sql = format('SELECT * FROM %I WHERE my_col = %L %s', 'my_table', 34, 'LIMIT 10');
console.log(sql); // SELECT * FROM my_table WHERE my_col = '34' LIMIT 10
Returns a formatted string based on fmt which has a style similar to the C function sprintf().
%% outputs a literal % character.%I outputs an escaped SQL identifier.%L outputs an escaped SQL literal.%s outputs a simple string.Changes the global configuration. You can change which letters are used to denote identifiers, literals, and strings in the formatted string. This is useful when the formatted string contains a PL/pgSQL function which calls PostgreSQL format() itself.
var format = require('pg-format');
format.config({
pattern: {
ident: 'V',
literal: 'C',
string: 't'
}
});
format.config(); // reset to default
Returns the input as an escaped SQL identifier string. undefined, null, arrays, and objects will throw an error.
Returns the input as an escaped SQL literal string. undefined and null will return 'NULL';
Returns the input as a simple string. undefined and null will return an empty string. If an array element is undefined or null, it will be removed from the output string.
Same as format(fmt, ...) except parameters are provided in an array rather than as function arguments. This is useful when dynamically creating a SQL query and the number of parameters is unknown or variable.
Javascript objects can be used for literals (%L) and strings (%s), but not identifiers (%I). For arrays, each element is escaped when appropriate and concatenated to a comma-delimited string. For objects, JSON.stringify() is called and the resulting string is escaped if appropriate. See the example below.
var format = require('pg-format');
var myArray = [ 1, 2, 3 ];
var myObject = { a: 1, b: 2 };
var sql = format('SELECT * FROM t WHERE c1 IN (%L) AND c2 = %L', myArray, myObject);
console.log(sql); // SELECT * FROM t WHERE c1 IN ('1','2','3') AND c2 = '{"a":1,"b":2}'
FAQs
Node.js implementation of PostgreSQL's format() to safely create dynamic SQL queries.
We found that pg-format demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
Node.js will be enforcing stricter semver-major PR policies a month before major releases to enhance stability and ensure reliable release candidates.
Security News
Research
Socket's threat research team has detected five malicious npm packages targeting Roblox developers, deploying malware to steal credentials and personal data.
Security News
vlt introduced its new package manager and a serverless registry this week, innovating in a space where npm has stagnated.