Research
Security News
Malicious npm Packages Inject SSH Backdoors via Typosquatted Libraries
Socket’s threat research team has detected six malicious npm packages typosquatting popular libraries to insert SSH backdoors.
The WebSQL Database API, implemented for Node
using sqlite3. In the browser, it falls back to window.openDatabase
.
npm install websql
var openDatabase = require('websql');
Create a SQLite3 database called mydb.db
:
var db = openDatabase('mydb.db', '1.0', 'description', 1);
Create an in-memory database:
var db = openDatabase(':memory:', '1.0', 'description', 1);
The name
is the name of the database. It's passed verbatim to sqlite3.
The version
is the database version (currently ignored - see below).
The description
and size
attributes are ignored, but they are required for
compatibility with the WebSQL API.
The callback
just returns the same database object returned
synchronously (migrations currently aren't supported - see below).
For more information how to use the WebSQL API, see the spec or various tutorials.
For more information on sqlite3
, see the SQLite3 readme.
You can also use this module in the browser (via Browserify/Webpack/etc.),
in which case it will just use
window.openDatabase
, meaning you are subject to browser WebSQL support.
Both readTransaction()
(read-only) and transaction()
(read-write) are supported.
readTransaction()
has some small performance optimizations, so it's worthwhile to
use if you're not writing any data in a transaction.
The WebSQL Database API is a deprecated standard, but in many cases it's useful to reuse legacy code designed for browsers that support WebSQL. Also, it allows you to quickly test WebSQL-based code in Node, which can be convenient.
The goal of this API is to exactly match the existing WebSQL API, as implemented
in browsers. If there's any difference between browsers (e.g. rows[0]
is supported
in Chrome, whereas only rows.item(0)
is supported in Safari), then the lowest-common
denominator version is exported by this library.
This library has a robust test suite, and has been known to pass the PouchDB test suite as well.
This library is not designed to:
BLOB
s, encryption, etc.In other words, the goal is not to carry the torch of WebSQL, but rather to bridge the gap from existing WebSQL-based code to Node.js.
This library is designed to allow swappable SQLite3 implementations, beyond just node-sqlite3. Examples:
To create your own custom implementation, use this API:
var customOpenDatabase = require('websql/custom');
var openDatabase = customOpenDatabase(SQLiteDatabase);
This SQLiteDatabase
implementation needs to be a constructor-style function
with a constructor signature like so:
// takes a single argument: the database name
var db = new SQLiteDatabase('dbname');
Then it implements a single function, exec()
, like so:
function exec(queries, readOnly, callback) {
// queries: an array of SQL statements and queries, with a key "sql" and "args"
// readOnly: whether or not these queries are in "read only" mode
// callback: callback to be called with results (first arg is error, second arg is results)
}
Here is the full specification:
Construct a new SQLiteDatbase
object, with the given string name.
Execute the list of SQLQuery
s. If we are in readOnly
mode, then any
non-SELECT
queries need to throw an error without executing. This function calls the Node-style
callback with an error as the first argument or the Array<SQLResult>
as
the second argument.
A SQL query and bindings to execute. This can be a plain JavaScript object or a custom class, as long as it has the following members:
The SQL query to execute.
The arguments to bind the query.
E.g.:
{
sql: 'INSERT INTO foo values (?, ?)',
args: ['bar', 'baz']
}
A result returned by a SQL query. This can be a plain JavaScript object or a custom class, as long as it has the following members:
A JavaScript Error
object, or undefined
if the SQLQuery
did not throw an error. If error
is truthy, then it's assumed insertId
, rowsAffected
, and rows
are falsy (they will be ignored anyway).
An insertion ID representing the new row number, or undefined
if nothing was inserted.
The number of rows affected by the query, or 0 if none.
The rows returned by a SELECT
query, or empty if none.
Each object is a mapping of keys (columns) to values (value fetched).
E.g.:
{
insertId: undefined,
rowsAffected: 0,
rows: [
{'foo': 'bar'},
{'foo': 'baz'},
]
}
Or:
{
error: new Error('whoopsie')
}
For an example implementation (and the one used by this module)
see lib/sqlite/SQLiteDatabase.js
.
The versioning and migration APIs
(i.e. changeVersion()
)
are not supported. Pull requests welcome!
With the restrictions of the node-sqlite3 API
on database names ("Valid values are filenames, ":memory:" for an anonymous
in-memory database and an empty string for an anonymous disk-based
database") and our lack of interest to enforce a particular mapping that
honors the WebSQL spec
in its indicating that "All strings including the empty string are valid database
names" (and that they are case-sensitive), consumers will need to do their
own mapping for strings in order to 1) avoid problems with invalid filenames or
filenames on case insensitive file systems, and to 2) avoid user databases being
given special treatment if the empty string or the string ":memory:" is used;
another special purpose form of string supported by SQLite that may call for
escaping are file::memory:...
URLs.
Although neither the WebSQL spec nor SQLite speaks to this matter,
node-sqlite3
has the following additional
limitations
which are surfaced for our users: namely, that statements will only be
executed up to the first NULL byte and SQL comments
will lead to runtime errors.
First:
npm install
Main test suite:
npm test
Linter:
npm run lint
Test in debug mode (e.g. with the node-inspector
):
npm run test-debug
Run the test suite against actual WebSQL in a browser:
npm run test-local
Run the actual-WebSQL test against PhantomJS:
npm run test-phantom
1.0.0
_ Upgrade to node-sqlite3 v4.0.0, which drops support for Node v0.10 and Node v0.12
FAQs
WebSQL Database API, implemented for Node using sqlite3
The npm package websql receives a total of 9,320 weekly downloads. As such, websql popularity was classified as popular.
We found that websql demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Research
Security News
Socket’s threat research team has detected six malicious npm packages typosquatting popular libraries to insert SSH backdoors.
Security News
MITRE's 2024 CWE Top 25 highlights critical software vulnerabilities like XSS, SQL Injection, and CSRF, reflecting shifts due to a refined ranking methodology.
Security News
In this segment of the Risky Business podcast, Feross Aboukhadijeh and Patrick Gray discuss the challenges of tracking malware discovered in open source softare.