Research
Security News
Malicious npm Packages Inject SSH Backdoors via Typosquatted Libraries
Socket’s threat research team has detected six malicious npm packages typosquatting popular libraries to insert SSH backdoors.
react-native-quick-sqlite
Advanced tools
Quick SQLite embeds the latest version of SQLite and provides a low-level JSI-backed API to execute SQL queries. By using an embedded SQLite you get access to the latest security patches and features.
Performance metrics are intentionally not presented, anecdotic testimonies suggest anywhere between 2x and 5x speed improvement.
Javascript cannot represent integers larger than 53 bits, be careful when loading data if it came from other systems. Read more.
import {open} from 'react-native-quick-sqlite'
const db = open('myDb.sqlite')
// The db object now contains the following methods:
db = {
close: () => void,
delete: () => void,
attach: (dbNameToAttach: string, alias: string, location?: string) => void,
detach: (alias: string) => void,
transactionAsync: (fn: (tx: TransactionAsync) => Promise<void>) => void,
transaction: (fn: (tx: Transaction) => void) => void,
execute: (query: string, params?: any[]) => QueryResult,
executeAsync: (
query: string,
params?: any[]
) => Promise<QueryResult>,
executeBatch: (commands: SQLBatchParams[]) => BatchQueryResult,
executeBatchAsync: (commands: SQLBatchParams[]) => Promise<BatchQueryResult>,
loadFile: (location: string) => FileLoadResult;,
loadFileAsync: (location: string) => Promise<FileLoadResult>
}
The basic query is synchronous, it will block rendering on large operations, further below you will find async versions.
import { open } from 'react-native-quick-sqlite';
try {
const db = open('myDb.sqlite');
let { rows } = db.execute('SELECT somevalue FROM sometable');
rows.forEach((row) => {
console.log(row);
});
let { rowsAffected } = await db.executeAsync(
'UPDATE sometable SET somecolumn = ? where somekey = ?',
[0, 1]
);
console.log(`Update affected ${rowsAffected} rows`);
} catch (e) {
console.error('Something went wrong executing SQL commands:', e.message);
}
Transactions are supported. Throwing an error inside the callback will ROLLBACK the transaction.
JSI bindings are fast but there is still some overhead calling execute
for single queries, if you want to execute a large set of commands as fast as possible you should use the executeBatch
method, it wraps all the commands in a transaction, but has less overhead.
QuickSQLite.transaction('myDatabase', (tx) => {
const { status } = tx.execute(
'UPDATE sometable SET somecolumn = ? where somekey = ?',
[0, 1]
);
throw new Error('Random Error!'); // Will ROLLBACK transaction
});
Async transactions are also possible:
QuickSQLite.transactionAsync('myDatabase', async (tx) => {
tx.execute('UPDATE sometable SET somecolumn = ? where somekey = ?', [0, 1]);
await tx.executeAsync(
'UPDATE sometable SET somecolumn = ? where somekey = ?',
[0, 1]
);
});
Batch execution allows transactional execution of a set of commands
const commands = [
['CREATE TABLE TEST (id integer)'],
['INSERT INTO TEST (id) VALUES (?)', [1]],
[('INSERT INTO TEST (id) VALUES (?)', [2])],
[('INSERT INTO TEST (id) VALUES (?)', [[3], [4], [5], [6]])],
];
const res = QuickSQLite.executeSqlBatch('myDatabase', commands);
console.log(`Batch affected ${result.rowsAffected} rows`);
In some scenarios, dynamic applications may need to get some metadata information about the returned result set.
This can be done by testing the returned data directly, but in some cases may not be enough, for example when data is stored outside sqlite datatypes. When fetching data directly from tables or views linked to table columns, SQLite is able to identify the table declared types:
let { metadata } = QuickSQLite.executeSql(
'myDatabase',
'SELECT int_column_1, bol_column_2 FROM sometable'
);
metadata.forEach((column) => {
// Output:
// int_column_1 - INTEGER
// bol_column_2 - BOOLEAN
console.log(`${column.columnName} - ${column.columnDeclaredType}`);
});
You might have too much SQL to process and it will cause your application to freeze. There are async versions for some of the operations. This will offload the SQLite processing to a different thread.
QuickSQLite.executeAsync(
'myDatabase',
'SELECT * FROM "User";',
[]).then(({rows}) => {
console.log('users', rows);
})
);
SQLite supports to attaching or detaching other database files into your main database connection through an alias. You can do any operation you like on this attached database like JOIN results across tables in different schemas, or update data or objects. This databases can have different configurations, like journal modes, cache settings.
You can, at any moment, detach a database that you don't need anymore. Note: You don't need to detach an attached database before closing your connection. Closing the main connection will dettach any attached databases. SQLite has a limit for attached databases: A default of 10, and a global max of 125
QuickSQLite.attach('mainDatabase', 'statistics', 'stats', '../databases');
const res = QuickSQLite.executeSql(
'mainDatabase',
'SELECT * FROM some_table_from_mainschema a INNER JOIN stats.some_table b on a.id_column = b.id_column'
);
// You can detach databases at any moment
QuickSQLite.detach('mainDatabase', 'stats');
if (!detachResult.status) {
// Database de-attached
}
If you have a plain SQL file, you can load it directly, with low memory consumption.
const { rowsAffected, commands } = QuickSQLite.loadFile('myDatabase','/absolute/path/to/file.sql');
Or use the async version which will load the file in another native thread
QuickSQLite.loadFileAsync('myDatabase','/absolute/path/to/file.sql').then((res) => {
const { rowsAffected, commands } = res;
});
On iOS you can use the embedded SQLite, when running pod-install
add an environment flag:
QUICK_SQLITE_USE_PHONE_VERSION=1 npx pod-install
On Android it is not possible to link (using C++) the embedded SQLite. It is also a bad idea due to vendor changes, old android bugs, etc. Unfortunately, this means this library will add some mbs to your app size.
You can use this library as a driver for TypeORM, when initializing the connection use:
datasource = new DataSource({
type: 'react-native',
database: 'typeormdb',
location: '.',
driver: require('react-native-quick-sqlite'),
entities: [Book, User],
synchronize: true,
});
If you are using Node 14+, TypeORM is currently broken with React Native. You can patch your node-modules installation and apply the fix in this issue.
The library creates/opens databases by appending the passed name plus, the documents directory on iOS and the files directory on Android, this differs from other SQL libraries (some place it in a www
folder, some in androids databases
folder, etc.).
If you have an existing database file you want to load you can navigate from these directories using dot notation. e.g. ../www/myDb.sqlite
. Note that on iOS the file system is sand-boxed, so you cannot access files/directories not in your app bundle directories.
Alternatively you can place/move your database file using one of the many react-native fs libraries.
By specifying pre-processor flags, you can enable optional features like FTS5, Geopoly, etc.
Add a post_install
block to your <PROJECT_ROOT>/ios/Podfile
like so:
post_install do |installer|
installer.pods_project.targets.each do |target|
if target.name == "react-native-quick-sqlite" then
target.build_configurations.each do |config|
config.build_settings['GCC_PREPROCESSOR_DEFINITIONS'] ||= ['$(inherited)', '<SQLITE_FLAGS>']
end
end
end
end
Replace the <SQLITE_FLAGS>
part with flags you want to add.
For example, you could add SQLITE_ENABLE_FTS5=1
to GCC_PREPROCESSOR_DEFINITIONS
to enable FTS5 in the iOS project.
You can specify flags via <PROJECT_ROOT>/android/gradle.properties
like so:
quickSqliteFlags="<SQLITE_FLAGS>"
If you want to learn how to make your own JSI module buy my JSI/C++ cheat sheet.
MIT License.
FAQs
Fast SQLite for react-native
The npm package react-native-quick-sqlite receives a total of 5,527 weekly downloads. As such, react-native-quick-sqlite popularity was classified as popular.
We found that react-native-quick-sqlite demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 0 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Research
Security News
Socket’s threat research team has detected six malicious npm packages typosquatting popular libraries to insert SSH backdoors.
Security News
MITRE's 2024 CWE Top 25 highlights critical software vulnerabilities like XSS, SQL Injection, and CSRF, reflecting shifts due to a refined ranking methodology.
Security News
In this segment of the Risky Business podcast, Feross Aboukhadijeh and Patrick Gray discuss the challenges of tracking malware discovered in open source softare.