String output vs. parameterized

Question

String output vs. parameterized

clschnei opened this issue 6 years ago · 6 comments

Triple checked the docs and source code, is there a way to output a full query string?
eg:

const min = 20, max = 30
const People = sq.l`select * from person where age >= ${min} and age < ${max}`

People.query
{ text: 'select * from person where age >= $1 and age < $2',
  args: [20, 30] }

// Sample API
People.query.toString()
'select * from person where age >= 20 and age < 30'

Answer 1 · 2018-11-30T22:13:36.000Z

There isn't. What is your use case?

Generally, it's dangerous because executing unparameterized query strings makes you vulnerable to SQL injection.

Also, what would you expect to see for non-primitive query arguments, e.g. array/object parameters? JSON?

Answer 2 · 2018-12-02T17:03:10.000Z

Definitely, parameterized is best. Wanted to use it for generating some data import scripts, though.

I would say the non-primatives are not currently a problem for my needs. But I do see the value in discussing it.

Answer 3 · 2018-12-02T21:05:35.000Z

I'll add this to the list of TODOs. I'll probably add a new method .queryRaw or maybe .export.

const q  = sq.from('book').where({ id: 7 })

q.query // { text: select * from book where id = $1, args: [7] }
q.queryRaw // select * from book where id = 7

Answer 4 · 2018-12-03T04:08:37.000Z

Resolved in Sqorn v0.0.40. Use method .unparameterized.

Answer 5 · 2018-12-03T19:10:28.000Z

So, this turned out to be relatively painless? Thanks for the quick turn around! I'll start using it this week.

NOTE: link to the pr --> #50

Answer 6 · 2018-12-03T19:28:58.000Z

The implementation was easy because I just copy-pasted Node-Postgres's string escape function. Thanks!