{"id":17434608,"url":"https://github.com/calebmer/pg-sql","last_synced_at":"2025-04-16T02:44:25.266Z","repository":{"id":57322647,"uuid":"77346836","full_name":"calebmer/pg-sql","owner":"calebmer","description":"Create SQL for Postgres in a safe and composable fashion with the power of template strings.","archived":false,"fork":false,"pushed_at":"2017-01-24T21:18:23.000Z","size":8,"stargazers_count":37,"open_issues_count":0,"forks_count":3,"subscribers_count":5,"default_branch":"master","last_synced_at":"2025-03-29T04:24:42.586Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"TypeScript","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/calebmer.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2016-12-25T23:36:49.000Z","updated_at":"2023-04-13T04:26:01.000Z","dependencies_parsed_at":"2022-08-25T21:01:16.024Z","dependency_job_id":null,"html_url":"https://github.com/calebmer/pg-sql","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/calebmer%2Fpg-sql","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/calebmer%2Fpg-sql/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/calebmer%2Fpg-sql/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/calebmer%2Fpg-sql/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/calebmer","download_url":"https://codeload.github.com/calebmer/pg-sql/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":248852184,"owners_count":21171843,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-10-17T09:07:40.538Z","updated_at":"2025-04-16T02:44:25.238Z","avatar_url":"https://github.com/calebmer.png","language":"TypeScript","readme":"# `pg-sql`\n\nCreate SQL for Postgres in a safe and composable fashion with the power of template strings.\n\n```js\nimport { sql } from 'pg-sql'\n\nconst tableName = 'user'\nconst id = 10\nconst query = sql`select * from ${sql.ident(tableName)} where id = ${id}`\n\nconsole.log(query)\n\n// -\u003e { text: 'select * from \"user\" where id = $1', values: [10] }\n```\n\nThis approach makes it impossible for developers to accidently introduce SQL injection vulnerabilities. The only way to inject raw SQL is if your developer writes it in the template string, or a developer wraps arbitrary input with the `sql.raw` function.\n\nYou can also easily compose queries:\n\n```js\nimport { sql } from 'pg-sql'\n\nconst var1 = 'foo'\nconst var2 = 'bar'\nconst var3 = 'baz'\n\nconst expression = sql`(${var1} || ${var2})`\nconst query = sql`select ${expression} || ${var3}`\n\nconsole.log(query)\n\n// -\u003e { text: 'select ($1 || $2) || $3', values: ['foo', 'bar', 'baz'] }\n```\n\nQueries created with the `sql` template string tag are ready to be used with the `pg` package as they are compatible with the prepared query object format. Just pass the query directly in like so:\n\n```js\npg.query(sql`select * from user where id = ${id}`).then(({ rows }) =\u003e console.log(rows))\n```\n\n## API\n\nThe API of this module is fairly simple, but this is where some of its power comes from.\n\n### ``sql`...` ``\n\nA template string tag which interpolates all values as placeholders unless they are escaped with a function from this package such as `sql.ident` or `sql.raw`.\n\nExample:\n\n```js\nsql`select * from user where id = ${id}`\n```\n\n### `sql.ident(...names)`\n\nCreates a Postgres identifier. A qualified identifier will be created if more than one name is passed. If a non-string value is used for a name, such as a symbol, a local identifier will be generated.\n\nExamples:\n\n```js\nsql`select * from ${sql.ident('user')}`\n// -\u003e 'select * from \"user\"'\n\nsql`select * from ${sql.ident('schema', 'user')}`\n// -\u003e 'select * from \"schema\".\"user\"'\n\nconst fromIdent = Symbol()\n\nsql`select * from user as ${sql.ident(fromIdent)}`\n// -\u003e 'select * from user as __local_0__'\n```\n\n### `sql.raw(text)`\n\nUse a string of text directly in the SQL. Helpful if you need to escape the constraints of this library.\n\n\u003e **Warning:** If you use arbitrary user generated input anywhere inside the text you pass to `sql.raw`, you will have a SQL injection vulnerability. Try not to use `sql.raw` unless absolutely necessary.\n\nExample:\n\n```js\nsql`select * from user where id ${sql.raw('=')} 5`\n// -\u003e 'select * from user where id = 5'\n```\n\n### `sql.join(queries, seperator?)`\n\nJoins an array of SQL queries together with an optional seperator. Works similarly to `Array#join`.\n\nExample:\n\n```js\nsql`select ${sql.join([sql.query`id`, sql.query`name`], ', ')} from user`\n// -\u003e 'select id, name from user'\n```\n\n## Thanks\n\nEnjoy the library? Want to see what the author is up to next? Follow me on Twitter [`@calebmer`](https://twitter.com/calebmer).\n","funding_links":[],"categories":[],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcalebmer%2Fpg-sql","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fcalebmer%2Fpg-sql","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcalebmer%2Fpg-sql/lists"}