@truto/sqlite-builder 2.0.2-canary.24 → 2.0.2-canary.25
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +23 -23
- package/package.json +1 -1
package/README.md
CHANGED
|
@@ -1,28 +1,28 @@
|
|
|
1
|
-
|
|
1
|
+
- **Length Limits**: Queries exceeding 100KB are rejected; `compileFilter()` enforces the same cap on its output
|
|
2
|
+
- **Pattern Limits**: `like`/`ilike`/`regex` patterns are capped at 1024 characters to bound matching cost at the SQLite layer
|
|
3
|
+
- **Filter Security**: JSON filters validate operators, identifiers, and enforce limits
|
|
2
4
|
|
|
3
|
-
|
|
4
|
-
// With better-sqlite3
|
|
5
|
-
import sqlite3 from 'better-sqlite3'
|
|
6
|
-
|
|
7
|
-
const db = new sqlite3('database.db')
|
|
5
|
+
### What's Your Responsibility
|
|
8
6
|
|
|
9
|
-
|
|
10
|
-
|
|
11
|
-
|
|
7
|
+
- **Never use `sql.raw()` with user input**
|
|
8
|
+
- **Validate identifiers before using `sql.ident()`** (though it has built-in validation)
|
|
9
|
+
- **Use `sql.in()` instead of string concatenation** for arrays
|
|
10
|
+
- **Keep your SQLite driver updated**
|
|
11
|
+
- **Load REGEXP extension safely** if using regex filters
|
|
12
12
|
|
|
13
|
-
|
|
14
|
-
const filter = {
|
|
15
|
-
email: { regex: '^[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\\.[a-zA-Z]{2,}$' },
|
|
16
|
-
}
|
|
17
|
-
```
|
|
13
|
+
### Supported Value Types
|
|
18
14
|
|
|
19
|
-
|
|
20
|
-
|
|
21
|
-
|
|
15
|
+
```typescript
|
|
16
|
+
// ✅ Safe types (automatically parameterized)
|
|
17
|
+
const query = sql`
|
|
18
|
+
INSERT INTO users (name, age, active, created_at, data, deleted_at)
|
|
19
|
+
VALUES (
|
|
20
|
+
${'John'}, // string
|
|
21
|
+
${30}, // number
|
|
22
|
+
${true}, // boolean
|
|
23
|
+
${new Date()}, // Date → 'YYYY-MM-DD HH:MM:SS'
|
|
24
|
+
${null}, // null
|
|
25
|
+
${undefined} // undefined → null
|
|
26
|
+
)
|
|
27
|
+
`
|
|
22
28
|
|
|
23
|
-
- **SQL Injection**: All interpolated values are parameterized
|
|
24
|
-
- **Unforgeable fragments**: Only fragments created by this library can contribute raw SQL text. A plain `{ text, values }` object (e.g. from `JSON.parse` or a request body) is treated as a value, never as SQL, closing the structural duck-typing bypass
|
|
25
|
-
- **Placeholder integrity**: The `sql` tag rejects any query whose `?` count does not match its bound-value count, catching raw fragments that smuggle or drop placeholders
|
|
26
|
-
- **Safe `sql.join()` separators**: String separators are validated so they cannot introduce string literals, comments, statement terminators, or unbalanced parentheses; use a `SqlFragment` separator to parameterize the connector itself
|
|
27
|
-
- **Stacked Queries**: Queries containing `;` followed by additional SQL are rejected (detection ignores semicolons inside string literals and comments)
|
|
28
|
-
- **Identifier Safety**: `sql.ident()` validates against ANSI identifier rules and caps each part at 255 characters
|
package/package.json
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"name":"@truto/sqlite-builder","version":"2.0.2-canary.
|
|
1
|
+
{"name":"@truto/sqlite-builder","version":"2.0.2-canary.25","description":"debug canary","license":"MIT","main":"index.js"}
|