@truto/sqlite-builder 2.0.2-canary.21 → 2.0.2-canary.24

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (2) hide show
  1. package/README.md +23 -23
  2. package/package.json +1 -1
package/README.md CHANGED
@@ -1,28 +1,28 @@
1
- const results = db.prepare(complexQuery.text).all(...complexQuery.values)
2
- ```
1
+ To use the `regex` operator, you need to load a REGEXP extension in SQLite:
2
+
3
+ ```typescript
4
+ // With better-sqlite3
5
+ import sqlite3 from 'better-sqlite3'
3
6
 
4
- #### Kitchen Sink Examples
7
+ const db = new sqlite3('database.db')
5
8
 
6
- Real-world complex filters:
9
+ // Load REGEXP extension (varies by implementation)
10
+ // This is implementation-specific - check your SQLite setup
11
+ db.loadExtension('regexp') // Example - actual method may vary
7
12
 
8
- ```typescript
9
- // Active users in specific regions, either minors/seniors or VIP
10
- const complexFilter = {
11
- and: [
12
- { status: 'ACTIVE' },
13
- { or: [{ age: { lt: 18 } }, { age: { gte: 65 } }, { membership: 'VIP' }] },
14
- { country: { in: ['US', 'CA', 'GB'] } },
15
- { email: { exists: true } },
16
- { 'profile.verified': true },
17
- ],
13
+ // Now regex filters work
14
+ const filter = {
15
+ email: { regex: '^[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\\.[a-zA-Z]{2,}$' },
18
16
  }
17
+ ```
18
+
19
+ ## 🛡️ Security Model
20
+
21
+ ### What's Protected
19
22
 
20
- // Content filtering with multiple criteria
21
- const contentFilter = {
22
- name: { like: 'Project%' },
23
- category: { nin: ['ARCHIVED', 'DELETED', 'SPAM'] },
24
- created_at: { exists: true },
25
- or: [
26
- { tags: { ilike: '%important%' } },
27
- { priority: { gte: 8 } },
28
- { 'metadata.featured': true },
23
+ - **SQL Injection**: All interpolated values are parameterized
24
+ - **Unforgeable fragments**: Only fragments created by this library can contribute raw SQL text. A plain `{ text, values }` object (e.g. from `JSON.parse` or a request body) is treated as a value, never as SQL, closing the structural duck-typing bypass
25
+ - **Placeholder integrity**: The `sql` tag rejects any query whose `?` count does not match its bound-value count, catching raw fragments that smuggle or drop placeholders
26
+ - **Safe `sql.join()` separators**: String separators are validated so they cannot introduce string literals, comments, statement terminators, or unbalanced parentheses; use a `SqlFragment` separator to parameterize the connector itself
27
+ - **Stacked Queries**: Queries containing `;` followed by additional SQL are rejected (detection ignores semicolons inside string literals and comments)
28
+ - **Identifier Safety**: `sql.ident()` validates against ANSI identifier rules and caps each part at 255 characters
package/package.json CHANGED
@@ -1 +1 @@
1
- {"name":"@truto/sqlite-builder","version":"2.0.2-canary.21","description":"debug canary","license":"MIT","main":"index.js"}
1
+ {"name":"@truto/sqlite-builder","version":"2.0.2-canary.24","description":"debug canary","license":"MIT","main":"index.js"}