UNPKG

safe-squel

Version:

(safe version) SQL query string builder

github.com/hiddentao/squel

hiddentao/squel

381 lines (284 loc) 10.9 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
# squel - SQL query string builder [![Build Status](https://secure.travis-ci.org/hiddentao/squel.svg?branch=master)](http://travis-ci.org/hiddentao/squel) [![CDNJS](https://img.shields.io/cdnjs/v/squel.svg)](https://cdnjs.com/libraries/squel) [![NPM module](https://badge.fury.io/js/squel.svg)](https://badge.fury.io/js/squel) [![NPM downloads](https://img.shields.io/npm/dm/squel.svg?maxAge=2592000)](https://www.npmjs.com/package/squel) [![Join the chat at https://discord.gg/PBAR2Bz](https://img.shields.io/badge/discord-join%20chat-738bd7.svg)](https://discord.gg/PBAR2Bz) [![Follow on Twitter](https://img.shields.io/twitter/url/http/shields.io.svg?style=social&label=Follow&maxAge=2592000)](https://twitter.com/hiddentao) A flexible and powerful SQL query string builder for Javascript. Full documentation (guide and API) at [https://hiddentao.com/squel/](https://hiddentao.com/squel/). ## Features * Works in node.js and in the browser. * Supports the standard SQL queries: SELECT, UPDATE, INSERT and DELETE. * Supports non-standard commands for popular DB engines such as MySQL. * Supports paramterized queries for safe value escaping. * Can be customized to build any query or command of your choosing. * Uses method chaining for ease of use. * Small: ~7 KB minified and gzipped * And much more, [see the guide..](https://hiddentao.com/squel/) **WARNING: Do not ever pass queries generated on the client side to your web server for execution.** Such a configuration would make it trivial for a casual attacker to execute arbitrary queries&mdash;as with an SQL-injection vector, but much easier to exploit and practically impossible to protect against. _Note: Squel is suitable for production use, but you may wish to consider more actively developed alternatives such as [Knex](http://knexjs.org/)_ ## Installation Install using [npm](http://npmjs.org/): ```bash $ npm install squel ``` ## Available files * `squel.js` - unminified version of Squel with the standard commands and all available non-standard commands added * `squel.min.js` - minified version of `squel.js` * `squel-basic.js` - unminified version of Squel with only the standard SQL commands * `squel-basic.min.js` - minified version of `squel-basic.js` ## Examples Before running the examples ensure you have `squel` installed and enabled at the top of your script: var squel = require("squel"); ### SELECT ```javascript // SELECT * FROM table squel.select() .from("table") .toString() // SELECT t1.id, t2.name FROM table `t1` LEFT JOIN table2 `t2` ON (t1.id = t2.id) WHERE (t2.name <> 'Mark') AND (t2.name <> 'John') GROUP BY t1.id squel.select() .from("table", "t1") .field("t1.id") .field("t2.name") .left_join("table2", "t2", "t1.id = t2.id") .group("t1.id") .where("t2.name <> 'Mark'") .where("t2.name <> 'John'") .toString() // SELECT `t1`.`id`, `t1`.`name` as "My name", `t1`.`started` as "Date" FROM table `t1` WHERE age IN (RANGE(1, 1.2)) ORDER BY id ASC LIMIT 20 squel.select({ autoQuoteFieldNames: true }) .from("table", "t1") .field("t1.id") .field("t1.name", "My name") .field("t1.started", "Date") .where("age IN ?", squel.str('RANGE(?, ?)', 1, 1.2)) .order("id") .limit(20) .toString() ``` You can build parameterized queries: ```js /* { text: "SELECT `t1`.`id`, `t1`.`name` as "My name", `t1`.`started` as "Date" FROM table `t1` WHERE age IN (RANGE(?, ?)) ORDER BY id ASC LIMIT 20", values: [1, 1.2] } */ squel.select({ autoQuoteFieldNames: true }) .from("table", "t1") .field("t1.id") .field("t1.name", "My name") .field("t1.started", "Date") .where("age IN ?", squel.str('RANGE(?, ?)', 1, 1.2)) .order("id") .limit(20) .toParam() ``` You can use nested queries: ```javascript // SELECT s.id FROM (SELECT * FROM students) `s` INNER JOIN (SELECT id FROM marks) `m` ON (m.id = s.id) squel.select() .from( squel.select().from('students'), 's' ) .field('id') .join( squel.select().from('marks').field('id'), 'm', 'm.id = s.id' ) .toString() ``` ### UPDATE ```javascript // UPDATE test SET f1 = 1 squel.update() .table("test") .set("f1", 1) .toString() // UPDATE test, test2, test3 AS `a` SET test.id = 1, test2.val = 1.2, a.name = "Ram", a.email = NULL, a.count = a.count + 1 squel.update() .table("test") .set("test.id", 1) .table("test2") .set("test2.val", 1.2) .table("test3","a") .setFields({ "a.name": "Ram", "a.email": null, "a.count = a.count + 1": undefined }) .toString() ``` ### INSERT ```javascript // INSERT INTO test (f1) VALUES (1) squel.insert() .into("test") .set("f1", 1) .toString() // INSERT INTO test (name, age) VALUES ('Thomas', 29), ('Jane', 31) squel.insert() .into("test") .setFieldsRows([ { name: "Thomas", age: 29 }, { name: "Jane", age: 31 } ]) .toString() ``` ### DELETE ```javascript // DELETE FROM test squel.delete() .from("test") .toString() // DELETE FROM table1 WHERE (table1.id = 2) ORDER BY id DESC LIMIT 2 squel.delete() .from("table1") .where("table1.id = ?", 2) .order("id", false) .limit(2) ``` ### Paramterized queries Use the `useParam()` method to obtain a parameterized query with a separate list of formatted parameter values: ```javascript // { text: "INSERT INTO test (f1, f2, f3, f4, f5) VALUES (?, ?, ?, ?, ?)", values: [1, 1.2, "TRUE", "blah", "NULL"] } squel.insert() .into("test") .set("f1", 1) .set("f2", 1.2) .set("f3", true) .set("f4", "blah") .set("f5", null) .toParam() ``` ### Expression builder There is also an expression builder which allows you to build complex expressions for `WHERE` and `ON` clauses: ```javascript // test = 3 OR test = 4 squel.expr() .or("test = 3") .or("test = 4") .toString() // test = 3 AND (inner = 1 OR inner = 2) OR (inner = 3 AND inner = 4 OR (inner IN ('str1, 'str2', NULL))) squel.expr() .and("test = 3") .and( squel.expr() .or("inner = 1") .or("inner = 2") ) .or( squel.expr() .and("inner = ?", 3) .and("inner = ?", 4) .or( squel.expr() .and("inner IN ?", ['str1', 'str2', null]) ) ) .toString() // SELECT * FROM test INNER JOIN test2 ON (test.id = test2.id) WHERE (test = 3 OR test = 4) squel.select() .join( "test2", null, squel.expr().and("test.id = test2.id") ) .where( squel.expr().or("test = 3").or("test = 4") ) ``` ### Custom value types By default Squel does not support the use of object instances as field values. Instead it lets you tell it how you want specific object types to be handled: ```javascript // handler for objects of type Date squel.registerValueHandler(Date, function(date) { return date.getFullYear() + '/' + (date.getMonth() + 1) + '/' + date.getDate(); }); squel.update(). .table('students') .set('start_date', new Date(2013, 5, 1)) .toString() // UPDATE students SET start_date = '2013/6/1' ``` _Note that custom value handlers can be overridden on a per-instance basis (see the [docs](https://hiddentao.com/squel/))_ ### Custom queries Squel allows you to override the built-in query builders with your own as well as create your own types of queries: ```javascript // ------------------------------------------------------ // Setup the PRAGMA query builder // ------------------------------------------------------ var util = require('util'); // to use util.inherits() from node.js var CommandBlock = function() {}; util.inherits(CommandBlock, squel.cls.Block); // private method - will not get exposed within the query builder CommandBlock.prototype._command = function(_command) { this._command = _command; } // public method - will get exposed within the query builder CommandBlock.prototype.compress = function() { this._command('compress'); }; CommandBlock.prototype.buildStr = function() { return this._command.toUpperCase(); }; // generic parameter block var ParamBlock = function() {}; util.inherits(ParamBlock, squel.cls.Block); ParamBlock.prototype.param = function(p) { this._p = p; }; ParamBlock.prototype.buildStr = function() { return this._p; }; // pragma query builder var PragmaQuery = function(options) { squel.cls.QueryBuilder.call(this, options, [ new squel.cls.StringBlock(options, 'PRAGMA'), new CommandBlock(), new ParamBlock() ]); }; util.inherits(PragmaQuery, squel.cls.QueryBuilder); // convenience method (we can override built-in squel methods this way too) squel.pragma = function(options) { return new PragmaQuery(options) }; // ------------------------------------------------------ // Build a PRAGMA query // ------------------------------------------------------ squel.pragma() .compress() .param('test') .toString(); // 'PRAGMA COMPRESS test' ``` Examples of custom queries in the wild: * https://github.com/bostrt/squel-top-start-at (blog post about it: http://blog.bostrt.net/extending-squel-js/) ## Non-standard SQL Squel supports the standard SQL commands and reserved words. However a number of database engines provide their own non-standard commands. To make things easy Squel allows for different 'flavours' of SQL to be loaded and used. At the moment Squel provides `mysql`, `mssql` and `postgres` flavours which augment query builders with additional commands (e.g. `INSERT ... RETURNING` for use with Postgres). To use this in node.js: ```javascript var squel = require('squel').useFlavour('postgres'); ``` For the browser: ```html <script type="text/javascript" src="https://rawgithub.com/hiddentao/squel/master/squel.min.js"></script> <script type="text/javascript"> squel = squel.useFlavour('postgres'); </script> ``` (Internally the flavour setup method simply utilizes the [custom query mechanism](http://hiddentao.github.io/squel/#custom_queries) to effect changes). Read the the [API docs](http://hiddentao.github.io/squel/api.html) to find out available commands. Flavours of SQL which get added to Squel in the future will be usable in the above manner. ## Building it To build the code and run the tests: $ npm install $ npm test <-- this will build the code and run the tests ## Releasing it Instructions for creating a new release of squel are in `RELEASE.md`. ## Contributing Contributions are welcome! Please see `CONTRIBUTING.md`. ## Older verions **Note: The latest Squel version only works on Node 0.12 or above. Please use Squel 4.4.1 for Node <0.12. The [old 4.x docs](http://hiddentao.github.io/squel/v4/index.html) are also still available.** ## Ports to other languages * .NET - https://github.com/seymourpoler/Squel.net * Crystal - https://github.com/seymourpoler/Squel.crystal ## License MIT - see LICENSE.md