@truto/sqlite-builder 2.0.2-canary.22 → 2.0.2-canary.24

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (2) hide show
  1. package/README.md +21 -21
  2. package/package.json +1 -1
package/README.md CHANGED
@@ -1,28 +1,28 @@
1
- ],
2
- }
3
- ```
4
-
5
- ### Integration with SQL Template
1
+ To use the `regex` operator, you need to load a REGEXP extension in SQLite:
6
2
 
7
3
  ```typescript
8
- import { sql, compileFilter } from '@truto/sqlite-builder'
4
+ // With better-sqlite3
5
+ import sqlite3 from 'better-sqlite3'
6
+
7
+ const db = new sqlite3('database.db')
9
8
 
10
- // Build the WHERE clause
9
+ // Load REGEXP extension (varies by implementation)
10
+ // This is implementation-specific - check your SQLite setup
11
+ db.loadExtension('regexp') // Example - actual method may vary
12
+
13
+ // Now regex filters work
11
14
  const filter = {
12
- status: 'ACTIVE',
13
- age: { gte: 18 },
14
- role: { in: ['USER', 'ADMIN'] },
15
+ email: { regex: '^[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\\.[a-zA-Z]{2,}$' },
15
16
  }
17
+ ```
18
+
19
+ ## 🛡️ Security Model
16
20
 
17
- // Use in complete query — the filter fragment and the LIMIT value are
18
- // collected in order, so query.values lines up with the placeholders.
19
- const query = sql`
20
- SELECT id, name, email, created_at
21
- FROM users
22
- WHERE ${compileFilter(filter)}
23
- ORDER BY created_at DESC
24
- LIMIT ${limit}
25
- `
21
+ ### What's Protected
26
22
 
27
- // Execute with driver
28
- const results = db.prepare(query.text).all(...query.values)
23
+ - **SQL Injection**: All interpolated values are parameterized
24
+ - **Unforgeable fragments**: Only fragments created by this library can contribute raw SQL text. A plain `{ text, values }` object (e.g. from `JSON.parse` or a request body) is treated as a value, never as SQL, closing the structural duck-typing bypass
25
+ - **Placeholder integrity**: The `sql` tag rejects any query whose `?` count does not match its bound-value count, catching raw fragments that smuggle or drop placeholders
26
+ - **Safe `sql.join()` separators**: String separators are validated so they cannot introduce string literals, comments, statement terminators, or unbalanced parentheses; use a `SqlFragment` separator to parameterize the connector itself
27
+ - **Stacked Queries**: Queries containing `;` followed by additional SQL are rejected (detection ignores semicolons inside string literals and comments)
28
+ - **Identifier Safety**: `sql.ident()` validates against ANSI identifier rules and caps each part at 255 characters
package/package.json CHANGED
@@ -1 +1 @@
1
- {"name":"@truto/sqlite-builder","version":"2.0.2-canary.22","description":"debug canary","license":"MIT","main":"index.js"}
1
+ {"name":"@truto/sqlite-builder","version":"2.0.2-canary.24","description":"debug canary","license":"MIT","main":"index.js"}