String output vs. parameterized
clschnei opened this issue · 6 comments
Triple checked the docs and source code, is there a way to output a full query string?
eg:
const min = 20, max = 30
const People = sq.l`select * from person where age >= ${min} and age < ${max}`
People.query
{ text: 'select * from person where age >= $1 and age < $2',
args: [20, 30] }
// Sample API
People.query.toString()
'select * from person where age >= 20 and age < 30'
There isn't. What is your use case?
Generally, it's dangerous because executing unparameterized query strings makes you vulnerable to SQL injection.
Also, what would you expect to see for non-primitive query arguments, e.g. array/object parameters? JSON?
Definitely, parameterized is best. Wanted to use it for generating some data import scripts, though.
I would say the non-primatives are not currently a problem for my needs. But I do see the value in discussing it.
I'll add this to the list of TODOs. I'll probably add a new method .queryRaw
or maybe .export
.
const q = sq.from('book').where({ id: 7 })
q.query // { text: select * from book where id = $1, args: [7] }
q.queryRaw // select * from book where id = 7
Resolved in Sqorn v0.0.40. Use method .unparameterized
.
So, this turned out to be relatively painless? Thanks for the quick turn around! I'll start using it this week.
NOTE: link to the pr --> #50
The implementation was easy because I just copy-pasted Node-Postgres's string escape function. Thanks!