Sql-assert NPM

SQL Assert

Assert identifiers (e.g. table/view names) before using them in SQL statements.

Installation

npm install sql-assert --save

Usage

Standalone

import { simpleSqlName, qualifiedSqlName, noop } from "sql-assert";

// returns a valid SQL name or throws an error
const stmt1 = `select count(*) from ${simpleSqlName(tableName)}`;
const stmt2 = `select count(*) from ${qualifiedSqlName(tableName)}`;

// no operation, returns original value
// SQL injection is possible, e.g., if `tableName` is a function parameter
const stmt3 = `select count(*) from ${noop(tableName)}`;

With sql-template-tag

import sql, { raw } from "sql-template-tag";
import { simpleSqlName, qualifiedSqlName } from "sql-assert";

// throws an error if tableName or columnName is not syntactically valid
// columnValue is a bind variable, hence no SQL injection is possible
const query = sql`select count(*) 
                    from ${raw(qualifiedSqlName(tableName))} 
                   where ${raw(simpleSqlName(columnName))} = ${columnValue}`;

License

sql-assert is licensed under the Apache License, Version 2.0. You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0.

sql-injection sql assert sanitise sanitize identifier dbms_assert

@everything-registry/sub-chunk-2810

6 months ago

6 months ago

7 months ago

7 months ago

7 months ago