slonik
Advanced tools
Comparing version 9.2.0 to 10.0.0
@@ -9,12 +9,12 @@ "use strict"; | ||
const mapTaggedTemplateLiteralInvocation = targetMethod => { | ||
return (maybeQuery, values = []) => { | ||
if (typeof maybeQuery === 'string') { | ||
return targetMethod(maybeQuery, values); | ||
} else { | ||
if (!Array.isArray(values)) { | ||
throw new TypeError('Unexpected state.'); | ||
} | ||
return (query, values = []) => { | ||
if (typeof query === 'string') { | ||
throw new TypeError('Query must be constructed using `sql` tagged template literal.'); | ||
} | ||
return targetMethod(maybeQuery.sql, maybeQuery.values.concat(values)); | ||
if (!Array.isArray(values)) { | ||
throw new TypeError('Unexpected state.'); | ||
} | ||
return targetMethod(query.sql, query.values.concat(values)); | ||
}; | ||
@@ -21,0 +21,0 @@ }; |
@@ -94,3 +94,3 @@ { | ||
}, | ||
"version": "9.2.0" | ||
"version": "10.0.0" | ||
} |
@@ -20,3 +20,3 @@ <a name="slonik"></a> | ||
* [Syntax highlighting](#slonik-syntax-highlighting) (Atom plugin compatible with Slonik). | ||
* [SQL injection guarding](https://github.com/gajus/eslint-plugin-sql) (ESLint plugin compatible with Slonik). | ||
* [SQL injection guarding](#slonik-value-placeholders-tagged-template-literals). | ||
* Detail [logging](#slonik-debugging). | ||
@@ -29,2 +29,3 @@ * [Parsing and logging of the auto_explain logs.](#logging-auto_explain). | ||
* [Transactions](#transactions). | ||
* [ESLint plugin](https://github.com/gajus/eslint-plugin-sql). | ||
@@ -380,3 +381,3 @@ --- | ||
```js | ||
await connection.query('SELECT ?', [ | ||
await connection.query(sql`SELECT ?`, [ | ||
1 | ||
@@ -391,2 +392,3 @@ ]); | ||
SELECT $1 | ||
``` | ||
@@ -402,3 +404,3 @@ | ||
```js | ||
await connection.query('SELECT ?', [ | ||
await connection.query(sql`SELECT ?`, [ | ||
[ | ||
@@ -426,3 +428,3 @@ 1, | ||
```js | ||
await connection.query('SELECT ?', [ | ||
await connection.query(sql`SELECT ?`, [ | ||
[ | ||
@@ -457,3 +459,3 @@ [ | ||
```js | ||
await connection.query('SELECT :foo', { | ||
await connection.query(sql`SELECT :foo`, { | ||
foo: 'FOO' | ||
@@ -474,3 +476,3 @@ }); | ||
Query methods can be executed using `sql` [tagged template literal](https://developer.mozilla.org/en/docs/Web/JavaScript/Reference/Template_literals#Tagged_template_literals), e.g. | ||
Slonik query methods can only be executed using `sql` [tagged template literal](https://developer.mozilla.org/en/docs/Web/JavaScript/Reference/Template_literals#Tagged_template_literals), e.g. | ||
@@ -541,32 +543,3 @@ ```js | ||
<a name="slonik-value-placeholders-tagged-template-literals-guarding-against-accidental-unescaped-input"></a> | ||
#### Guarding against accidental unescaped input | ||
When using tagged template literals, it is easy to forget to add the `sql` tag, i.e. | ||
Instead of: | ||
```js | ||
connection.query(sql` | ||
INSERT INTO reservation_ticket (reservation_id, ticket_id) | ||
VALUES ${values} | ||
`); | ||
``` | ||
Writing | ||
```js | ||
connection.query(` | ||
INSERT INTO reservation_ticket (reservation_id, ticket_id) | ||
VALUES ${values} | ||
`); | ||
``` | ||
This would expose your application to [SQL injection](https://en.wikipedia.org/wiki/SQL_injection). | ||
Therefore, I recommend using [`eslint-plugin-sql`](https://github.com/gajus/eslint-plugin-sql) `no-unsafe-query` rule. `no-unsafe-query` warns about use of SQL inside of template literals without the `sql` tag. | ||
<a name="slonik-query-methods"></a> | ||
@@ -573,0 +546,0 @@ ## Query methods |
@@ -190,3 +190,3 @@ // @flow | ||
type QueryMethodType<R> = ( | ||
sql: string | TaggledTemplateLiteralInvocationType, | ||
sql: TaggledTemplateLiteralInvocationType, | ||
values?: DatabaseQueryValuesType | ||
@@ -193,0 +193,0 @@ ) => Promise<R>; |
@@ -9,13 +9,13 @@ // @flow | ||
export default (targetMethod: *) => { | ||
return (maybeQuery: string | TaggledTemplateLiteralInvocationType, values: DatabaseQueryValuesType = []) => { | ||
if (typeof maybeQuery === 'string') { | ||
return targetMethod(maybeQuery, values); | ||
} else { | ||
if (!Array.isArray(values)) { | ||
throw new TypeError('Unexpected state.'); | ||
} | ||
return (query: TaggledTemplateLiteralInvocationType, values: DatabaseQueryValuesType = []) => { | ||
if (typeof query === 'string') { | ||
throw new TypeError('Query must be constructed using `sql` tagged template literal.'); | ||
} | ||
return targetMethod(maybeQuery.sql, maybeQuery.values.concat(values)); | ||
if (!Array.isArray(values)) { | ||
throw new TypeError('Unexpected state.'); | ||
} | ||
return targetMethod(query.sql, query.values.concat(values)); | ||
}; | ||
}; |
Sorry, the diff of this file is not supported yet
Sorry, the diff of this file is not supported yet
Sorry, the diff of this file is not supported yet
243731
2661
898