Sqorn

Sqorn

  • Github
  • Documentation
  • Demo

›Misc

Introduction

  • About
  • Setup
  • Quick Start

Queries

  • Manual
  • Select
  • Delete
  • Insert
  • Update

Expressions

  • Expressions
  • Operations

Execution

  • Executing Queries
  • Transactions

Misc

  • Configuration
  • API
  • FAQ
Edit

FAQ

This document is inaccurate and incomplete. Refer to the tutorial.

How does Sqorn prevent SQL injection?

Sqorn's query builder constructs parameterized queries, which are then passed to the underlying database library for execution.

const name = 'Bruce Wayne'
const city = 'Gotham City'
const query = sq.from`person`.where`name = ${name} and city = ${city}`.query()
const expected = {
  text: 'select * from person where name = $1 and city = $2',
  args: ['Bruce Wayne', 'Gotham City']
}
expect(query).toEqual(expected)

How does Sqorn work?

When a method on the query builder sq is called, it pushes an object containing the method name and arguments to an array named methods.

sq.from`person`.where`age > ${20} and age < ${30}`.return`name`
// methods ===
[ { type: 'frm', args: [ [ 'person' ] ] },
  { type: 'whr', args: [ [ 'age > ', ' and age < ', '' ], 20, 30 ] },
  { type: 'ret', args: [ [ 'name' ] ] } ]

Certain methods like .run trigger the three-step compilation process:

First, the entries in methods are processed sequentially to build a context object ctx.

// ctx === context(methods) ===
{ type: 'select',
  frm: [ [ 'person' ] ],
  whr: [ [ 'age > ', ' and age < ', '' ], 20, 30 ],
  ret: [ [ 'name' ] ] }

Second, a Query of type ctx.type is constructed. Each Query is constructed from a sequence of clauses, which are evaluated against ctx. Each clause returns an object with properties text for its text component and args for its parameterized arguments.

select = Query(
  With,   // undefined
  Select, // { text: 'select age', args: [] }
  From,   // { text: 'from person', args: []}
  Where,  // { text: 'where age > $1 and age < $2, args: [7, 13] }
  Group,  // undefined
  Having, // undefined
  Order,  // undefined
  Limit,  // undefined
  Offset  // undefined
)

Finally, the contributions from all clauses are joined together to construct a complete SQL query with parameterized arguments. This query is passed to the underlying database library for execution.

{ text: 'select age from person where age > $1 and age < $2' 
  args: [7, 13] }
← API
  • How does Sqorn prevent SQL injection?
  • How does Sqorn work?
Copyright © 2018 Sufyan Dawoodjee