Hacker News new | ask | show | jobs
by eejdoowad 2824 days ago
Sqorn author here.

Sqorn doesn't use tagged template literals to be cool. It uses them to make writing SQL flexible, secure and intuitive.

You can write:

const boy = sq.from`person`.where`age < ${7} and gender = ${'male}`

to produce the query:

{ text: 'select * from person where age < $1 and gender = $2', args: [7, 'male'] }.

All methods have both template and non-template string forms you can choose between. For example, the query above could also be written as:

sq.from('person').where({ maxAge: sq.l`age < ${7}`, gender: 'male' })

or even as:

sq`person``age < ${7} and gender = ${'male}`

or for those who like plain old SQL:

sq.l`select * from person where age < ${7} and gender = ${'male'}`

Read the tutorial at https://sqorn.org/docs/tutorial.html to learn about the possibilities.
1 comments
tolmasky 2824 days ago
Sincere question: doesn't the use of template strings increase the possibility of injection where none would theoretically be possible in the non-string version of the API? Not super familiar with the intended purpose of sqorn, hence the real question, but I think part of the goal of query builders can be to very specifically constrain the possible generated output statically.

So, for example in your example above, if I had tied the age parameter to some input box, it is now theoretically up to the caller to sanitize age and make sure the user doesn't type "10 || 1 = 1" or something. This as opposed to say, doing .where(less_than(identifier("age"), input)), where you can absolutely know that if input is not an int you can safely throw. I am basically making the same injection question that's existed forever which is that if you deal at the coarseness of string parsing, you lose the information of what is user generated and what is programmer generated.

link
olooney 2824 days ago
Putting a function in front of a backtick string replaces normal string introplation: instead of the default behavior, the function before the backtick string gets passed the literal pieces of the template string and ${} values explicitly and separately. Instead of returning an interpolated string, the function can return whatever it wants. In sqorn's case, it returns an Object with separate keys for sql and and values. When the time comes to actually execute a query, sqorn passes these objects to database backends with positional placeholders in the SQL ($1, $2, $3, etc.) and the values as positional bound parameters. This is a safe way to prevent SQL injection.
link
tolmasky 2824 days ago
Excellent, completely answers my question!
link