Safely generate and compose SQL statements with tagged template literals. Written in TypeScript.
import {sql} from '@mojojs/sql';
// {text: 'SELECT * FROM users WHERE name = $1', values: ['sebastian']}
const {text, values} = sql`SELECT * FROM users WHERE name = ${'sebastian'}`.toQuery();
To prevent SQL injection attacks, all interpolated values become placeholders in the generated query. Partial statements can even be used recursively to build more complex queries.
const role = 'admin';
const partialQuery = sql`AND role = ${role}`;
const name = 'root';
// {text: 'SELECT * FROM users WHERE name = $1 AND role = $2', values: ['root', 'admin']}
const {text, values} = sql`SELECT * FROM users WHERE name = ${name} ${partialQuery}`.toQuery();
Make partial statements optional to dynamically generate WHERE
clauses.
const optionalPart = foo === true ? sql`AND foo IS NOT NULL` : sql``;
const {text, values} = sql`SELECT * FROM users WHERE name = ${'sebastian'} ${optionalPart}`.toQuery();
And if you need a little more control over the generated SQL query, you can of course also bypass safety features with
the tagged template literal sqlUnsafe
. But make sure to handle unsafe values yourself with appropriate escaping
functions for your database. For PostgreSQL there are escapeLiteral
and escapeIdentifier
functions included with
this package.
import {sql, sqlUnsafe, escapeLiteral} from '@mojojs/sql';
const role = 'role = ' + escapeLiteral('power user');
const partialQuery = sqlUnsafe`AND ${role}`;
const name = 'root';
// {text: "SELECT * FROM users WHERE name = $1 AND role = 'power user'", values: ['root']}
const {text, values} = sql`SELECT * FROM users WHERE name = ${name} ${partialQuery}`.toQuery();
For databases that do not support numbered placeholders like $1
and $2
, you can set a custom character with the
placeholder
option.
// {text: 'SELECT * FROM users WHERE name = ?', values: ['root']}
const {text, values} = sql`SELECT * FROM users WHERE name = ${'root'}`.toQuery({placeholder: '?'});
All you need is Node.js 16.0.0 (or newer).
$ npm install @mojojs/sql
If you have any questions the documentation might not yet answer, don't hesitate to ask in the Forum, on Matrix, or IRC.