{"id":22942342,"url":"https://github.com/sandergi/sql-strings","last_synced_at":"2025-04-01T21:19:00.315Z","repository":{"id":230162510,"uuid":"777978975","full_name":"SanderGi/sql-strings","owner":"SanderGi","description":"Write SQL-injection protected SQL statements using template strings!","archived":false,"fork":false,"pushed_at":"2024-03-28T04:53:57.000Z","size":46,"stargazers_count":0,"open_issues_count":0,"forks_count":0,"subscribers_count":1,"default_branch":"main","last_synced_at":"2025-03-25T10:01:41.856Z","etag":null,"topics":["javascript-library","sql","sql-builder","template-strings"],"latest_commit_sha":null,"homepage":"https://www.npmjs.com/package/sql-strings","language":"JavaScript","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/SanderGi.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2024-03-26T21:19:41.000Z","updated_at":"2025-01-23T07:48:43.000Z","dependencies_parsed_at":null,"dependency_job_id":"93944e5f-ffe1-49c8-9a1b-28036a829ef0","html_url":"https://github.com/SanderGi/sql-strings","commit_stats":null,"previous_names":["sandergi/sql-strings"],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/SanderGi%2Fsql-strings","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/SanderGi%2Fsql-strings/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/SanderGi%2Fsql-strings/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/SanderGi%2Fsql-strings/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/SanderGi","download_url":"https://codeload.github.com/SanderGi/sql-strings/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":246531986,"owners_count":20792735,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["javascript-library","sql","sql-builder","template-strings"],"created_at":"2024-12-14T13:47:29.365Z","updated_at":"2025-04-01T21:19:00.309Z","avatar_url":"https://github.com/SanderGi.png","language":"JavaScript","funding_links":[],"categories":[],"sub_categories":[],"readme":"# sql-strings\n\n[![LOC](./.badges/lines-of-code.svg)](./.badges/lines-of-code.svg)\n[![FileCount](./.badges/file-count.svg)](./.badges/file-count.svg)\n[![Tests](./.badges/tests.svg)](./.badges/tests.svg)\n[![Coverage](./.badges/coverage.svg)](./.badges/coverage.svg)\n\nWrite SQL-injection protected SQL statements using template strings. Useful for longer queries and dynamically created queries where keeping the SQL and bind parameters separate becomes disorienting.\n\n```js\nimport { SQL } from 'sql-strings';\n\nconst username = 'bob'; // potentially unsafe input\n\n// postgres:\nawait client.query(SQL`SELECT * FROM users WHERE username = ${username}`);\n// is equivalent to:\nawait client.query('SELECT * FROM users WHERE username = ?', [username]);\n\n// mysql:\nconnection.query(SQL`SELECT * FROM users WHERE username = ${username}`());\n// is equivalent to:\nconnection.query('SELECT * FROM users WHERE username = ?', [username]);\n\n// sqlite3:\ndb.all(...SQL`SELECT * FROM users WHERE username = ${username}`);\n// is equivalent to:\ndb.all('SELECT * FROM users WHERE username = ?', [username]);\n\n// sequelize:\nsequelize.query(SQL`SELECT * FROM users WHERE username = ${username}`());\n// is equivalent to:\nsequelize.query({ query: 'SELECT * FROM users WHERE username = ?', values: [username] });\n```\n\nCompatible with [node-sqlite3](https://github.com/TryGhost/node-sqlite3), [Sequelize](https://www.npmjs.com/package/sequelize), [mysql](https://www.npmjs.com/package/mysql), [postgres](https://www.npmjs.com/package/pg), and more!\n\n\u003e **Note:** This is my first npm package and made for learning purposes. Feedback is welcome! I'll keep it updated with bug/security fixes but will not be adding new features. Consider an [alternative](#alternatives) for more features.\n\n## Installation\n\nThis is a [Node.js](https://nodejs.org/en/) module available through the\n[npm registry](https://www.npmjs.com/). [Node.js v18.17.0](https://nodejs.org/en/download/) or higher is recommended.\n\nInstallation is done using the\n[`npm install` command](https://docs.npmjs.com/getting-started/installing-npm-packages-locally):\n\n```console\n$ npm install sql-strings\n```\n\n## Recommended Extensions for Syntax Highlighting\n\nThese editor extensions will syntax highlight the SQL template strings for better readability:\n\n-   VS Code: [ES6 String HTML](https://marketplace.visualstudio.com/items?itemName=Tobermory.es6-string-html).\n-   Sublime Text: [javascript-sql-sublime-syntax](https://github.com/AsterisqueDigital/javascript-sql-sublime-syntax).\n-   Vim: [vim-javascript-sql](https://github.com/statico/vim-javascript-sql).\n\n## Usage\n\nPrefix your template strings with `SQL` and use `${}` for bind parameters.\n\n```js\nconst username = 'bob';\nconst sql = SQL`SELECT * FROM users WHERE username = ${username}`;\n```\n\nThis SQLString object can be called as a function using `()` to get an object compatible with most database drivers.\n\n```js\nconnection.query(sql());\n```\n\nTo insert raw values into the SQL string without escaping them as bind parameters, pass them to the SQLString using parentheses:\n\n```js\nconst tablename = 'users';\nconnection.query(SQL`SELECT * FROM \"`(tablename)`\" WHERE username = ${username};`());\n```\n\nTo append to an existing SQLString object, use the `append` method:\n\n```js\nconst sql = SQL`SELECT * FROM \"`;\nsql.append(tablename);\nsql.append`\" WHERE username = ${username}`;\nsql.append` ID in (`;\nfor (const id of [1, 2, 3]) {\n    sql.append`${id}, `;\n}\nsql.append`4)`;\nconnection.query(sql());\n```\n\nYou can optionally leave out the `.append`:\n\n```js\nconst sql = SQL`SELECT * FROM \"`;\nsql(tablename);\nsql`\" WHERE username = ${username}`;\nsql` ID in (`;\nfor (const id of [1, 2, 3]) {\n    sql`${id}, `;\n}\nsql`4)`;\nconnection.query(sql());\n```\n\n### SQL Driver Specific Syntax\n\n-   node-sqlite3 like APIs use the spread operator ``...SQL`query`​`` instead of the final parenthesis ``SQL`query`()`` syntax.\n\n```js\nimport sqlite3 from 'sqlite3';\nimport { SQL } from 'sql-strings';\n\nconst db = new sqlite3.Database(':memory:');\nconst username = 'bob';\nconst tablename = '\"users\"';\n\nconst sql = SQL`SELECT * FROM `;\nsql.append(tablename);\nsql.append` WHERE username = ${tablename}`;\n\ndb.all(...sql);\n// is equivalent to:\ndb.all('SELECT * FROM \"users\" WHERE username = ?', [username]);\n```\n\n-   node-postgres can optionally omit the final parenthesis and use ``SQL`query`​`` syntax.\n\n-   sequelize by default replaces the parameters on the client. To use bind parameters on the database side, pass `SQL.SEQUELIZE_USE_BIND` to the final parenthesis with ``SQL`query`(SQL.SEQUELIZE_USE_BIND)`` syntax.\n\n```js\nimport { SQL } from 'sql-strings';\nimport { Sequelize } from 'sequelize';\n\nconst sequelize = new Sequelize('sqlite::memory:');\nconst username = 'bob';\nconst tablename = '\"users\"';\n\nconst sql = SQL`SELECT * FROM \"`(tablename)`\" WHERE username = ${username}`;\nsequelize.query(sql(SQL.SEQUELIZE_USE_BIND));\n// is equivalent to:\nsequelize.query({ query: 'SELECT * FROM \"users\" WHERE username = $1', bind: [username] });\n```\n\n## Examples\n\nThe following application uses the sql-strings package: [Attendance Scanner](https://github.com/clr-li/AttendanceScanner).\nYou can also take a look at the [test suite](test) for more examples.\n\n## Alternatives\n\n-   [sql-template-strings](https://www.npmjs.com/package/sql-template-strings) does the same thing but doesn't support node-sqlite3 and has a different syntax.\n\n## Contributing\n\nAll constructive contributions are welcome including anything from bug fixes and new features to improved documentation, tests and more! Feel free to open an issue to discuss the proposed change and then submit a pull request :)\n\n### Security Issues\n\nIf you discover a security vulnerability in sql-strings, please contact the [current main maintainer](#contributors).\n\n### Running Tests\n\nTests run automatically pre-commit using [Husky](https://typicode.github.io/husky/). To run the test suite manually, first install the dependencies, then run `npm test`:\n\n```console\n$ npm install\n$ npm test\n```\n\nYou will need to set up a [mysql](https://www.mysql.com/) and [postgres](https://www.postgresql.org/) database on localhost with username `test`, password `test`, and database `test` to run their respective tests.\n\n### Linting and Formatting\n\n[Eslint](https://eslint.org/) is used for static analysis, [fixpack](https://www.npmjs.com/package/fixpack) is used to standardize package.json and [Prettier](https://prettier.io/) is used for automatic formatting. Linting will automatically run pre-commit using [Husky](https://typicode.github.io/husky/) and [Lint-Staged](https://www.npmjs.com/package/lint-staged). Formatting can be set up to happen [automatically in your editor](https://prettier.io/docs/en/editors.html) (e.g. on save). Formatting and linting can also be run manually:\n\n```console\n$ npm install\n$ npm run format\n$ npm run lint\n```\n\n### Generating TypeScript Types\n\nTypescript types are automatically generated from the JSDoc in the `/types` folder when the npm package is packaged/published. To update the TypeScript types manually, run the following command:\n\n```console\n$ npm run types\n```\n\nThis will allow TypeScript users to benefit from the type information provided in the JSDoc.\n\nIf you also want to generate the readme badges, run the following command:\n\n```console\n$ npm run build\n```\n\n## Contributors\n\nThe author of sql-strings is [Alexander Metzger](https://sandergi.github.io).\n\nFunctionality is inspired by [sql-template-strings](https://www.npmjs.com/package/sql-template-strings).\n\nAll contributors will be listed here.\n\n## License\n\n[MIT](LICENSE)\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsandergi%2Fsql-strings","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fsandergi%2Fsql-strings","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsandergi%2Fsql-strings/lists"}