From 2ccc17a3c5ef7f0f86a183ebb7caf00fba09a5c6 Mon Sep 17 00:00:00 2001 From: Dovid Gefen Date: Wed, 3 Feb 2021 15:35:22 +0200 Subject: [PATCH] Add .toSqlString() escapeId overriding closes #57 closes #58 --- HISTORY.md | 5 +++++ README.md | 4 ++++ lib/SqlString.js | 2 ++ test/unit/test-SqlString.js | 8 ++++++++ 4 files changed, 19 insertions(+) diff --git a/HISTORY.md b/HISTORY.md index aea1dfc..b22da7b 100644 --- a/HISTORY.md +++ b/HISTORY.md @@ -1,3 +1,8 @@ +unreleased +========== + + * Add `.toSqlString()` escapeId overriding + 2.3.3 / 2022-03-06 ================== diff --git a/README.md b/README.md index 5a9934f..1492657 100644 --- a/README.md +++ b/README.md @@ -172,6 +172,10 @@ console.log(sql); // SELECT `username`, `email` FROM `users` WHERE id = 1 ``` **Please note that this last character sequence is experimental and syntax might change** +To skip escaping one or more of the columns names that you pass to `SqlString.escapeId()` +you may use `SqlString.raw()` similarly to how it is used with `SqlString.escape()`. +See above for more details. + When you pass an Object to `.escape()` or `.format()`, `.escapeId()` is used to avoid SQL injection in object keys. ### Formatting queries diff --git a/lib/SqlString.js b/lib/SqlString.js index 8206dad..b8cea61 100644 --- a/lib/SqlString.js +++ b/lib/SqlString.js @@ -24,6 +24,8 @@ SqlString.escapeId = function escapeId(val, forbidQualified) { } return sql; + } else if (typeof val.toSqlString === 'function') { + return String(val.toSqlString()); } else if (forbidQualified) { return '`' + String(val).replace(ID_GLOBAL_REGEXP, '``') + '`'; } else { diff --git a/test/unit/test-SqlString.js b/test/unit/test-SqlString.js index 580aa4e..ed038bb 100644 --- a/test/unit/test-SqlString.js +++ b/test/unit/test-SqlString.js @@ -46,6 +46,14 @@ test('SqlString.escapeId', { 'nested arrays are flattened': function() { assert.equal(SqlString.escapeId(['a', ['b', ['t.c']]]), '`a`, `b`, `t`.`c`'); + }, + + 'raw not escaped': function () { + assert.equal(SqlString.escapeId(SqlString.raw('*')), '*'); + }, + + 'raw within array not escaped': function () { + assert.equal(SqlString.escapeId(['a', SqlString.raw('*'), 'b']), '`a`, *, `b`'); } });