npm - @restura/core - Versions diffs - 0.1.0-alpha.27 → 0.1.0-alpha.29 - Mend

@restura/core 0.1.0-alpha.27 → 0.1.0-alpha.29

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (7) hide show

package/dist/index.d.mts CHANGED Viewed

@@ -2565,6 +2565,15 @@ declare class PsqlTransaction extends PsqlConnection {
     protected query<R extends QueryResultRow = QueryResultRow, T extends Array<unknown> = unknown[]>(query: string, values?: QueryConfigValues<T>): Promise<QueryResult<R>>;
 }
+/**
+ * This method does a couple of things:
+ * 1. It escapes the column name to prevent SQL injection by removing any double quotes.
+ * 2. It wraps the column name in double quotes to prevent any issues with reserved words or casing.
+ * 3. It replaces any periods in the column name with a period wrapped in double quotes to prevent any issues with schema names.
+ * NOTE: I looked into using pg-format ident() method but that will strip the double quotes when not needed.
+ * @param columnName
+ * @returns
+ */
 declare function escapeColumnName(columnName: string | undefined): string;
 /**
  * Converts a query with question marks to a query with numbered parameters,
@@ -2573,9 +2582,30 @@ declare function escapeColumnName(columnName: string | undefined): string;
  * @returns A string with numbered parameters such as $1, $2 in replacement of question marks
  */
 declare function questionMarksToOrderedParams(query: string): string;
+/**
+ * Creates a query to insert an object into a table.
+ * @param table Table name to insert the object into
+ * @param obj  Data to insert into the table
+ * @returns the query to insert the object into the table
+ */
 declare function insertObjectQuery(table: string, obj: DynamicObject): string;
+/**
+ * Creates a query to update an object in a table.
+ * @param table Table name to update the object in
+ * @param obj Data to update in the table
+ * @param whereStatement Where clause to determine which rows to update
+ * @returns the query to update the object in the table
+ */
 declare function updateObjectQuery(table: string, obj: DynamicObject, whereStatement: string): string;
 declare function isValueNumber(value: unknown): value is number;
-declare function SQL(strings: any, ...values: any): any;
+/**
+ * This method is used to format a query and escape user input.
+ * Use this with the SQL tag to escape user input. For example:
+ * SQL`UPDATE "USER" SET "firstName" = ${firstName}, "isActive" = ${isActive} WHERE "id" = ${id} RETURNING *`
+ * @param strings template strings array
+ * @param values values to escape
+ * @returns An escaped query with user input
+ */
+declare function SQL(strings: TemplateStringsArray, ...values: unknown[]): string;
 export { type ActionColumnChangeData, type ActionColumnChangeFilter, type ActionRowDeleteData, type ActionRowDeleteFilter, type ActionRowInsertData, type ActionRowInsertFilter, type ApiMethod, type AsyncExpressApplication, type AuthenticateHandler, type AuthenticationUserDetails, type ConjunctionTypes, type DatabaseActionData, type DynamicObject, type ErrorCode, type EventType, HtmlStatusCodes, type MatchTypes, type MutationType, type PageQuery, PsqlConnection, PsqlEngine, PsqlPool, PsqlTransaction, type QueryMetadata, type RequesterDetails, RsError, type RsErrorData, type RsErrorInternalData, type RsHeaders, type RsPagedResponseData, type RsRequest, type RsResponse, type RsResponseData, type RsRouteHandler, SQL, type SchemaChangeValue, type SchemaPreview, type SqlMutationData, type StandardOrderTypes, type TriggerResult, type ValidAuthenticationCallback, escapeColumnName, eventManager, insertObjectQuery, isValueNumber, logger, questionMarksToOrderedParams, restura, updateObjectQuery };

package/dist/index.d.ts CHANGED Viewed

@@ -2565,6 +2565,15 @@ declare class PsqlTransaction extends PsqlConnection {
     protected query<R extends QueryResultRow = QueryResultRow, T extends Array<unknown> = unknown[]>(query: string, values?: QueryConfigValues<T>): Promise<QueryResult<R>>;
 }
+/**
+ * This method does a couple of things:
+ * 1. It escapes the column name to prevent SQL injection by removing any double quotes.
+ * 2. It wraps the column name in double quotes to prevent any issues with reserved words or casing.
+ * 3. It replaces any periods in the column name with a period wrapped in double quotes to prevent any issues with schema names.
+ * NOTE: I looked into using pg-format ident() method but that will strip the double quotes when not needed.
+ * @param columnName
+ * @returns
+ */
 declare function escapeColumnName(columnName: string | undefined): string;
 /**
  * Converts a query with question marks to a query with numbered parameters,
@@ -2573,9 +2582,30 @@ declare function escapeColumnName(columnName: string | undefined): string;
  * @returns A string with numbered parameters such as $1, $2 in replacement of question marks
  */
 declare function questionMarksToOrderedParams(query: string): string;
+/**
+ * Creates a query to insert an object into a table.
+ * @param table Table name to insert the object into
+ * @param obj  Data to insert into the table
+ * @returns the query to insert the object into the table
+ */
 declare function insertObjectQuery(table: string, obj: DynamicObject): string;
+/**
+ * Creates a query to update an object in a table.
+ * @param table Table name to update the object in
+ * @param obj Data to update in the table
+ * @param whereStatement Where clause to determine which rows to update
+ * @returns the query to update the object in the table
+ */
 declare function updateObjectQuery(table: string, obj: DynamicObject, whereStatement: string): string;
 declare function isValueNumber(value: unknown): value is number;
-declare function SQL(strings: any, ...values: any): any;
+/**
+ * This method is used to format a query and escape user input.
+ * Use this with the SQL tag to escape user input. For example:
+ * SQL`UPDATE "USER" SET "firstName" = ${firstName}, "isActive" = ${isActive} WHERE "id" = ${id} RETURNING *`
+ * @param strings template strings array
+ * @param values values to escape
+ * @returns An escaped query with user input
+ */
+declare function SQL(strings: TemplateStringsArray, ...values: unknown[]): string;
 export { type ActionColumnChangeData, type ActionColumnChangeFilter, type ActionRowDeleteData, type ActionRowDeleteFilter, type ActionRowInsertData, type ActionRowInsertFilter, type ApiMethod, type AsyncExpressApplication, type AuthenticateHandler, type AuthenticationUserDetails, type ConjunctionTypes, type DatabaseActionData, type DynamicObject, type ErrorCode, type EventType, HtmlStatusCodes, type MatchTypes, type MutationType, type PageQuery, PsqlConnection, PsqlEngine, PsqlPool, PsqlTransaction, type QueryMetadata, type RequesterDetails, RsError, type RsErrorData, type RsErrorInternalData, type RsHeaders, type RsPagedResponseData, type RsRequest, type RsResponse, type RsResponseData, type RsRouteHandler, SQL, type SchemaChangeValue, type SchemaPreview, type SqlMutationData, type StandardOrderTypes, type TriggerResult, type ValidAuthenticationCallback, escapeColumnName, eventManager, insertObjectQuery, isValueNumber, logger, questionMarksToOrderedParams, restura, updateObjectQuery };

package/dist/index.js CHANGED Viewed

@@ -1612,6 +1612,8 @@ function SQL(strings, ...values) {
       query += value;
     } else if (typeof value === "number") {
       query += value;
+    } else if (Array.isArray(value)) {
+      query += import_pg_format.default.literal(JSON.stringify(value)) + "::jsonb";
     } else {
       query += import_pg_format.default.literal(value);
     }