npm - @bkmj/node-red-contrib-odbcmj - Versions diffs - 1.3.0 → 1.4.0 - Mend

@bkmj/node-red-contrib-odbcmj 1.3.0 → 1.4.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (4) hide show

package/README.md CHANGED Viewed

@@ -1,6 +1,6 @@
 # node-red-contrib-odbcmj
-A Node-RED implementation of odbc.js (https://www.npmjs.com/package/odbc). This node allows you to make queries to a database through an ODBC connection. Additionally, parameters can be passed to the SQL query using Mustache syntax, prepared statements, or directly in the query string.
+A Node-RED implementation of odbc.js (https://www.npmjs.com/package/odbc). This node allows you to make queries to a database through an ODBC connection. Parameters can be passed to the SQL query using Mustache syntax, prepared statements, or directly in the query string.
 ---
 ## Acknowledgment
@@ -17,6 +17,7 @@ This node is an unofficial fork of node-red-contrib-odbc by Mark Irish (https://
 * Connection nodes can have individually defined names.
 * Selectable SQL syntax checker.
 * Allows parameters to be passed as an object, mapping values to named parameters in the query.
+* Automatically handles prepared statements based on the query and parameters.
 ## Installation
@@ -31,18 +32,21 @@ For the `odbc` connector requirements, please see [the documentation for that pa
 `node-red-contrib-odbcmj` provides two nodes:
-* **`odbc config`**: A configuration node for defining your connection string and managing your connection parameters.
-* **`odbc`**: A node for running queries with or without parameters passed using Mustache syntax, a parameter array, or a parameter object.
+* **`odbc config`**: A configuration node for defining your connection string and managing your connection
+ parameters.
+* **`odbc`**: A node for running queries with or without parameters.
 ### `odbc config`
-A configuration node that manages connections in an `odbc.pool` object. [Can take any configuration property recognized by `odbc.pool()`](https://www.npmjs.com/package/odbc#constructor-odbcpoolconnectionstring). The connection pool will initialize the first time an `odbc` node receives an input message.
+A configuration node that manages connections in an `odbc.pool` object. [Can take any configuration property recognized by `odbc.pool()`](https://www.npmjs.com/package/odbc#constructor-odbcpoolconnectionstring). The connection pool will initialize the first time
+ an `odbc` node receives an input message.
 #### Properties
 * (**required**) **`connectionString`**: <`string`>
-    An ODBC connection string that defines your DSN and/or connection string options. Check your ODBC driver documentation for more information about valid connection strings.
+    An ODBC connection string that defines your DSN and/or connection string options.
+ Check your ODBC driver documentation for more information about valid connection strings.
     Example:
     ```
@@ -71,7 +75,8 @@ A configuration node that manages connections in an `odbc.pool` object. [Can tak
 * (optional) **`loginTimeout`**: <`number`>
-    The number of seconds for an attempt to create a connection before returning to the application. Default: 3.
+    The number of seconds for an attempt to create a connection before returning to the application.
+ Default: 3.
 * (optional) **`syntaxChecker`**: <`boolean`>
@@ -92,21 +97,18 @@ A node that runs a query when input is received. Each instance of the node can d
     The ODBC pool node that defines the connection settings and manages the connection pool used by this node.
-* (optional) **`queryType`**: <`string`>
-    Selects the type of query to execute. Options are:
-    * `query`:  A regular SQL query. Parameters can be passed using Mustache templating or an array in `msg.parameters`.
-    * `statement`: A prepared statement. Requires `msg.parameters`.
 * (optional) **`query`**: <`string`>
-    A valid SQL query string.
-    * For `queryType: "query"`, it can contain parameters inserted using Mustache syntax (e.g., `{{{payload}}}`). You can also use placeholders (`?`) and provide an array of values in `msg.parameters`.
-    * For `queryType: "statement"`, it should use placeholders (`?`) for parameters.
+    A valid SQL query string.
+    * Can contain parameters inserted using Mustache syntax (e.g., `{{{payload}}}`).
+    * Can use placeholders (`?`) for parameters.
+    * Can embed parameters directly in the query string.
 * (**required**) **`result to`**: <`dot-notation string`>
-    The JSON nested element structure that will contain the result output. The string must be a valid JSON object structure using dot-notation, minus the `msg.` (e.g., `payload.results`) and must not start or end with a period. Square bracket notation is not allowed. The node input object is carried out to the output, as long as the output object name does not conflict with it. If the targeted output JSON object was already present in the input, the result from the query will be appended to it if it was itself an object (but not an array); otherwise, the original key/value pair will be overwritten.
+    The JSON nested element structure that will contain the result output. The string must be a valid JSON object structure using dot-notation, minus the `msg.` (e.g., `payload.results`) and must not start or end with a period. Square bracket notation is not allowed. The node input object is carried out to the output, as long as the output object name does not conflict with it. If the targeted output JSON object was already present in the input, the result from the query will be appended to it
+ if it was itself an object (but not an array); otherwise, the original key/value pair will be overwritten.
     Example:
@@ -124,9 +126,8 @@ The `odbc` node accepts a message input that can contain:
     *  A JSON string containing a `query` property with the SQL string.
     *  An object with a `query` property containing the SQL string.
 * **`parameters`**: <`array` or `object`>
-    *  Required for prepared statements (`queryType: "statement"`).
     *  Can be an array of values or an object mapping parameter names to values.
-    *  For regular queries (`queryType: "query"`) with placeholders (`?`), provide an array of values.
+    *  If the query contains placeholders (`?`) and `msg.parameters` is an object, the values will be automatically mapped to the placeholders based on the order of the parameters in the query.
 #### Outputs
@@ -134,4 +135,13 @@ Returns a message containing:
 * **`output object`**: <`array`> The `odbc` result array returned from the query.
 * **`odbc`**: <`object`> Contains additional information returned by the `odbc` module.
-* **`parsedQuery`**: <`object`> (Optional) The parsed SQL query if the syntax checker is enabled.
+* **`parsedQuery`**: <`object`> (Optional) The parsed SQL query if the syntax checker is enabled.
+**Automatic Prepared Statement Handling**
+The node automatically determines whether to use a prepared statement or a regular query based on the following:
+* **Presence of Placeholders:** If the query string contains placeholders (`?`), the node will use a prepared statement.
+* **`msg.parameters` Object:** If the `msg.parameters` object is provided (either as an array or an object), the node will use a prepared statement.
+This automatic handling ensures that your queries are executed in the most secure way possible, minimizing the risk of SQL injection vulnerabilities.

package/odbc.html CHANGED Viewed

@@ -99,9 +99,7 @@
     defaults: {
             name: {value:""},
             connection: {type:"odbc config", required:true},
-            queryType: { value: "query" },
             query: {value: ""},
-            parameters: {value: ""},
             outputObj: {value:"payload"}
     },
     inputs:1,
@@ -116,16 +114,6 @@
             mode: 'ace/mode/sql',
             value: this.query
         });
-        $("#node-input-queryType").on("change", function() {
-            if ($(this).val() === "statement") {
-                $("#node-input-parameters").show();
-            } else {
-                $("#node-input-parameters").hide();
-            }
-        });
-        // Trigger the change event initially to set the visibility
-        $("#node-input-queryType").trigger("change");
     },
     oneditsave: function() {
         this.query = this.editor.getValue();
@@ -151,140 +139,130 @@
             <input type="text" id="node-input-connection">
     </div>
-    <div class="form-row">
-        <label for="node-input-queryType"><i class="fa fa-code"></i> Query Type</label>
-        <select id="node-input-queryType">
-            <option value="query">Query</option>
-            <option value="statement">Prepared Statement</option>
-        </select>
-    </div>
     <div class="form-row node-text-editor-row">
         <label for="node-input-query" style="width: 100% !important;"><i class="fa fa-search"></i> Query</label>
         <div style="height: 250px;" class="node-text-editor" id="node-input-query-editor" ></div>
     </div>
-    <div class="form-row" id="node-input-parameters">
-        <label for="node-input-parameters-editor"><i class="fa fa-list"></i> Parameters</label>
-        <input type="text" id="node-input-parameters-editor">
-    </div>
     <div class="form-row">
             <label for="node-input-outputObj"><i class="fa fa-edit"></i> Result to</label>
             <span>msg.</span><input type="text" id="node-input-outputObj" placeholder="payload" style="width: 64%;">
     </div>
 </script>
 <script type="text/markdown" data-help-name="odbc config">
-    A configuration node that manages connections in an `odbc.pool` object.
-    [Can take any configuration property recognized by `odbc.pool()`](https://www.npmjs.com/package/odbc/v/2.4.8#constructor-odbcconnectconnectionstring).
-    The connection pool will initialize the first time an `odbc` node receives an input message.
+A configuration node that manages connections in an `odbc.pool` object.
+[Can take any configuration property recognized by `odbc.pool()`](https://www.npmjs.com/package/odbc/v/2.4.8#constructor-odbcconnectconnectionstring).
+The connection pool will initialize the first time an `odbc` node receives an input message.
-    ## Properties
+## Properties
-    * (**required**) **`connectionString`**: <`string`>
+* (**required**) **`connectionString`**: <`string`>
-        An ODBC connection string that defines your DSN and/or connection string options.
-        Check your ODBC driver documentation for more information about valid connection strings.
+    An ODBC connection string that defines your DSN and/or connection string options.
+    Check your ODBC driver documentation for more information about valid connection strings.
-        Example:
-        ```
-        DSN=MyDSN;DFT=2;
-        ```
+    Example:
+    ```
+    DSN=MyDSN;DFT=2;
+    ```
-    * (optional) **`initialSize`**: <`number`>
+* (optional) **`initialSize`**: <`number`>
-        The number of connections created in the pool when it is initialized. Default: 5.
+    The number of connections created in the pool when it is initialized. Default: 5.
-    * (optional) **`incrementSize`**: <`number`>
+* (optional) **`incrementSize`**: <`number`>
-        The number of connections that are created when the pool is exhausted. Default: 5.
+    The number of connections that are created when the pool is exhausted. Default: 5.
-    * (optional) **`maxSize`**: <`number`>
+* (optional) **`maxSize`**: <`number`>
-        The maximum number of connections allowed in the pool before it won't create any more. Default: 15.
+    The maximum number of connections allowed in the pool before it won't create any more. Default: 15.
-    * (optional) **`shrinkPool`**: <`boolean`>
+* (optional) **`shrinkPool`**: <`boolean`>
-        Whether the number of connections should be reduced to `initialSize` when they are returned to the pool. Default: true.
+    Whether the number of connections should be reduced to `initialSize` when they are returned to the pool. Default: true.
-    * (optional) **`connectionTimeout`**: <`number`>
+* (optional) **`connectionTimeout`**: <`number`>
-        The number of seconds for a connection to remain idle before closing. Default: 3.
+    The number of seconds for a connection to remain idle before closing. Default: 3.
-    * (optional) **`loginTimeout`**: <`number`>
+* (optional) **`loginTimeout`**: <`number`>
-        The number of seconds for an attempt to create a connection before returning to the application. Default: 3.
+    The number of seconds for an attempt to create a connection before returning to the application. Default: 3.
-    * (optional) **`syntaxChecker`**: <`boolean`>
+* (optional) **`syntaxChecker`**: <`boolean`>
-        Whether the syntax validator is activated or not. If activated, the query string will be
-        [parsed](https://www.npmjs.com/package/node-sql-parser#create-ast-for-sql-statement)
-        and appended as an object to the output message with a key named `parsedQuery`. Default: false.
+    Whether the syntax validator is activated or not. If activated, the query string will be
+    [parsed](https://www.npmjs.com/package/node-sql-parser#create-ast-for-sql-statement)
+    and appended as an object to the output message with a key named `parsedQuery`. Default: false.
-    * (optional) **`syntax`**: <`string`>
+* (optional) **`syntax`**: <`string`>
-        Dropdown list of the available [SQL flavors available](https://www.npmjs.com/package/node-sql-parser#supported-database-sql-syntax).
-        Default: mysql.
+    Dropdown list of the available [SQL flavors available](https://www.npmjs.com/package/node-sql-parser#supported-database-sql-syntax).
+    Default: mysql.
 </script>
 <script type="text/markdown" data-help-name="odbc">
-    A node that runs a query when input is received. Each instance of the node can define its own query string,
-    as well as take a query and/or parameters as input. A query sent as an input message will override any query
-    defined in the node properties.
+A node that runs a query when input is received. Each instance of the node can define its own query string,
+as well as take a query and/or parameters as input. A query sent as an input message will override any query
+defined in the node properties.
+## Properties
+* (**required**) **`connection`**: <`odbc config`>
-    ## Properties
+    The ODBC pool node that defines the connection settings and manages the connection pool used by this node.
-    * (**required**) **`connection`**: <`odbc config`>
+* (optional) **`query`**: <`string`>
-        The ODBC pool node that defines the connection settings and manages the connection pool used by this node.
+    A valid SQL query string.
+    * Can contain parameters inserted using Mustache syntax (e.g., `{{{payload}}}`).
+    * Can use placeholders (`?`) for parameters.
+    * Can embed parameters directly in the query string.
-    * (optional) **`queryType`**: <`string`>
+* (**required**) **`result to`**: <`dot-notation string`>
-        Selects the type of query to execute. Options are:
-        * `query`: A regular SQL query. Parameters can be passed using Mustache templating, a parameter array in `msg.parameters`, or directly in the query string.
-        * `statement`: A prepared statement (requires `msg.parameters`).
+    The JSON nested element structure that will contain the result output. The string must be a valid
+    JSON object structure using dot-notation, minus the `msg.` (e.g., `payload.results`) and must not
+    start or end with a period. Square bracket notation is not allowed. The node input object is carried
+    out to the output, as long as the output object name does not conflict with it. If the targeted output
+    JSON object was already present in the input, the result from the query will be appended to it if it
+    was itself an object (but not an array); otherwise, the original key/value pair will be overwritten.
-    * (optional) **`query`**: <`string`>
+    Example:
-        A valid SQL query string.
-        * For `queryType: "query"`, it can contain parameters inserted using Mustache syntax (e.g., `{{{payload}}}`). You can also use placeholders (`?`) and provide an array of values in `msg.parameters`, or embed the parameters directly in the query string.
-        * For `queryType: "statement"`, it should use placeholders (`?`) for parameters.
+    * `input msg: {"payload": {"result": {"othervalue": 10} } };`
+    * `result to: payload.results.values`
-    * (**required**) **`result to`**: <`dot-notation string`>
+    In this case, `values` will be appended to `result` without overwriting `othervalue`.
+    If `result` had been a string, then it would have been replaced by `values`.
-        The JSON nested element structure that will contain the result output. The string must be a valid
-        JSON object structure using dot-notation, minus the `msg.` (e.g., `payload.results`) and must not
-        start or end with a period. Square bracket notation is not allowed. The node input object is carried
-        out to the output, as long as the output object name does not conflict with it. If the targeted output
-        JSON object was already present in the input, the result from the query will be appended to it if it
-        was itself an object (but not an array); otherwise, the original key/value pair will be overwritten.
+## Inputs
-        Example:
+The `odbc` node accepts a message input that can contain:
-        * `input msg: {"payload": {"result": {"othervalue": 10} } };`
-        * `result to: payload.results.values`
+* **`query`**: <`string`> A valid SQL query string. This overrides the query defined in the node properties.
+* **`payload`**:
+    * A JSON string containing a `query` property with the SQL string.
+    * An object with a `query` property containing the SQL string.
+* **`parameters`**: <`array` or `object`>
+    * Can be an array of values corresponding to the placeholders (`?`) in the query.
+    * Can be an object mapping parameter names to values. If the query contains placeholders (`?`) and `msg.parameters` is an object, the values will be automatically mapped to the placeholders based on the order of the parameters in the query.
-        In this case, `values` will be appended to `result` without overwriting `othervalue`.
-        If `result` had been a string, then it would have been replaced by `values`.
+## Outputs
-    ## Inputs
+Returns a message containing:
-    The `odbc` node accepts a message input that can contain:
+* **`output object`**: <`array`> The `odbc` result array returned from the query.
+* **`odbc`**: <`object`> Contains additional information returned by the `odbc` module.
+* **`parsedQuery`**: <`object`> (Optional) The parsed SQL query if the syntax checker is enabled.
-    * **`query`**: <`string`> A valid SQL query string. This overrides the query defined in the node properties.
-    * **`payload`**:
-        * A JSON string containing a `query` property with the SQL string.
-        * An object with a `query` property containing the SQL string.
-    * **`parameters`**: <`array` or `object`>
-        * Required for prepared statements (`queryType: "statement"`).
-        * Can be an array of values or an object mapping parameter names to values.
-        * For regular queries (`queryType: "query"`) with placeholders (`?`), provide an array of values.
+## Automatic Prepared Statement Handling
-    ## Outputs
+The node automatically determines whether to use a prepared statement or a regular query based on the following:
-    Returns a message containing:
+* **Presence of Placeholders:** If the query string contains placeholders (`?`), the node will use a prepared statement.
+* **`msg.parameters` Object/Array:** If the `msg.parameters` object/array is provided, the node will use a prepared statement.
-    * **`output object`**: <`array`> The `odbc` result array returned from the query.
-    * **`odbc`**: <`object`> Contains additional information returned by the `odbc` module.
-    * **`parsedQuery`**: <`object`> (Optional) The parsed SQL query if the syntax checker is enabled.
+This automatic handling ensures that your queries are executed in the most secure way possible, minimizing the risk of SQL injection vulnerabilities.
 </script>

package/odbc.js CHANGED Viewed

@@ -1,14 +1,14 @@
 module.exports = function(RED) {
-    const odbcModule = require('odbc');
-    const mustache = require('mustache');
-    const objPath = require('object-path');
+    const odbcModule = require('odbc'); // Import the odbc module for database connectivity
+    const mustache = require('mustache'); // Import the mustache module for templating
+    const objPath = require('object-path'); // Import the object-path module for object manipulation
     // --- ODBC Configuration Node ---
     function poolConfig(config) {
-        RED.nodes.createNode(this, config);
-        this.config = config;
-        this.pool = null;
-        this.connecting = false;
+        RED.nodes.createNode(this, config); // Create a Node-RED node
+        this.config = config; // Store the node configuration
+        this.pool = null; // Initialize the connection pool
+        this.connecting = false; // Flag to indicate if the node is connecting
         const enableSyntaxChecker = this.config.syntaxtick; // Renamed for clarity
         const syntax = this.config.syntax;
@@ -71,8 +71,13 @@ module.exports = function(RED) {
                 this.status({ fill: "blue", shape: "dot", text: "querying..." });
                 this.config.outputObj = msg?.output || this.config?.outputObj;
-                const isPreparedStatement = this.config.queryType === "statement";
+                // Automatically determine if it's a prepared statement based on the presence of
+                // placeholders (?) in the query or if msg.parameters is an object/array.
+                const isPreparedStatement = msg?.parameters || this.queryString.includes('?');
                 this.queryString = this.config.query;
+                if (!this.queryString.length) {
+                    this.queryString = null;
+                }
                 // --- Construct the query string ---
                 if (!isPreparedStatement && this.queryString) {
@@ -89,6 +94,9 @@ module.exports = function(RED) {
                 // Handle cases where the query is provided in the message
                 if (msg?.query) {
+                    if (this.queryString) {
+                        node.log('Warning. The query defined in the node configuration was overwritten by msg.config.');
+                    }
                     this.queryString = msg.query;
                 } else if (msg?.payload) {
                     if (typeof msg.payload === 'string') {
@@ -107,19 +115,27 @@ module.exports = function(RED) {
                     throw new Error("No query to execute");
                 }
-                // --- Parameter validation for prepared statements ---
+                // --- Parameter handling for prepared statements ---
                 if (isPreparedStatement) {
-                    if (this.queryString.includes('?')) {
-                        if (!msg?.parameters) {
-                            throw new Error("Prepared statement requires msg.parameters");
-                        } else if (!Array.isArray(msg.parameters)) {
-                            throw new Error("msg.parameters must be an array");
-                        } else if ((this.queryString.match(/\?/g) || []).length !== msg.parameters.length) {
-                            throw new Error("Incorrect number of parameters");
-                        }
+                    if (!msg?.parameters) {
+                        throw new Error("Prepared statement requires msg.parameters");
                     } else {
-                        this.warn("Prepared statement without parameters. Consider using a regular query.");
+                        // If parameters are provided as an object, extract parameter names from the query
+                        // and create an ordered array of values for the prepared statement.
+                        if (typeof msg.parameters === 'object' && !Array.isArray(msg.parameters)) {
+                            const paramNames = this.queryString.match(/\(([^)]*)\)/)[1].split(',').map(el => el.trim());
+                            // Create an ordered array of values
+                            msg.parameters = paramNames.map(name => msg.parameters[name]);
+                        }
                     }
+                    // Validate the parameters array
+                    if (!Array.isArray(msg.parameters)) {
+                        throw new Error("msg.parameters must be an object or an array");
+                    } else if ((this.queryString.match(/\?/g) || []).length !== msg.parameters.length) {
+                        throw new Error("Incorrect number of parameters");
+                    }
                 }
                 // --- Syntax check ---
@@ -159,20 +175,17 @@ module.exports = function(RED) {
                 try {
                     let result;
                     if (isPreparedStatement) {
-                        const stmt = await this.connection.prepare(this.queryString);
+                        // --- Execute prepared statement ---
+                        const stmt = await this.connection.createStatement();
+                        await this.connection.prepare(this.queryString);
                         let values = msg.parameters;
-                        if (typeof values === 'object' && !Array.isArray(values)) {
-                            // Assuming your parameters are like this: (param1, param2, param3)
-                            const paramNames = this.queryString.match(/\(([^)]*)\)/)[1].split(',').map(el => el.trim());
-                            // Create an ordered array of values
-                            values = paramNames.map(name => msg.parameters[name]);
-                        }
+                        // Bind the values to the prepared statement
+                        await stmt.bind(values);
                         // Execute the prepared statement
-                        const result = await stmt.execute(values);
-                        stmt.finalize();
+                        result = await stmt.execute();
+                        stmt.close();
                     } else {
                         // --- Execute regular query ---
                         result = await this.connection.query(this.queryString, msg?.parameters);

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@bkmj/node-red-contrib-odbcmj",
-  "version": "1.3.0",
+  "version": "1.4.0",
   "description": "Node Red implementation of odbc.js",
   "keywords": [
     "node-red",