UNPKG

@ydbjs/query

Version:

High-level, type-safe YQL query and transaction client for YDB. Supports tagged template syntax, parameter binding, transactions, and statistics.

github.com/ydb-platform/ydb-js-sdk

ydb-platform/ydb-js-sdk

61 lines (46 loc) 2.06 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
# YDB JavaScript SDK Instructions for GitHub Copilot When working with @ydbjs/query and YQL functions: ## CRITICAL: Template Literal Security - ALWAYS use yql`SELECT...` template literal syntax for queries - NEVER use yql(string) with pre-built strings containing user input - Template literals automatically parameterize values preventing SQL injection ## Parameter Handling - All ${value} interpolations in template literals become safe parameters - Use Optional<T> types from @ydbjs/value for nullable database values - Validate and sanitize all user inputs before passing to yql functions - Apply size limits to prevent DoS attacks ## Dynamic Identifiers - Use identifier() function for table/column names: ${identifier('tableName')} - Use unsafe() ONLY for trusted contexts (migrations, static fragments) - Never use unsafe() with user-controllable data ## Type Safety - Import specific types from @ydbjs/value (Int32, Text, Optional, etc.) - Use TypeScript strict mode with strictNullChecks enabled - Prefer explicit type conversion over implicit coercion ## Examples: ✅ SAFE PATTERNS: ```typescript // Parameterized query with validation let userId = userInput?.id ? new Int32(userInput.id) : Optional.int32() yql`SELECT * FROM users WHERE id = ${userId}` // Dynamic table name with identifier() yql`SELECT * FROM ${identifier(tableName)} WHERE status = ${status}` // Safe string handling let searchTerm = (userInput.search || '').trim().substring(0, 100) yql`SELECT * FROM posts WHERE title LIKE ${searchTerm}` ``` ❌ DANGEROUS PATTERNS: ```typescript // String concatenation - NEVER DO THIS let query = `SELECT * FROM users WHERE id = ${userInput}` yql(query) // Direct user input without validation yql`SELECT * FROM users WHERE id = ${req.body.userId}` // Uncontrolled limits yql`SELECT * FROM posts LIMIT ${userInput.limit}` ``` ## Error Handling - Always handle potential null/undefined values - Use try-catch blocks for query execution - Log errors without exposing sensitive data Follow complete security guidelines in SECURITY.md