Node-postgres: named parameters query (nodejs)

Question

I used to name my parameters in my SQL query when preparing it for practical reasons like in php with PDO.

So can I use named parameters with node-postgres module?

For now, I saw many examples and docs on internet showing queries like so:

client.query("SELECT * FROM foo WHERE id = $1 AND color = $2", [22, 'blue']);

But is this also correct?

client.query("SELECT * FROM foo WHERE id = :id AND color = :color", {id: 22, color: 'blue'});

or this

client.query("SELECT * FROM foo WHERE id = ? AND color = ?", [22, 'blue']);

I'm asking this because of the numbered parameter $n that doesn't help me in the case of queries built dynamically.

In pg-promise there is very flexible Named Parameter formatting, even with Raw-Text formatting, plus Custom-Type formatting. — vitaly-t
– vitaly-t, Commented Sep 16, 2015 at 18:26
Thanks for the link, I heard about this module but didn't go further. It's what I'm looking for! — AnomalySmith
– AnomalySmith, Commented Sep 16, 2015 at 21:07

pihvi · Accepted Answer · 2016-11-16 20:42:07Z

10

There is a library for what you are trying to do. Here's how:

var sql = require('yesql').pg

client.query(sql("SELECT * FROM foo WHERE id = :id AND color = :color")({id: 22, color: 'blue'}));

answered Nov 16, 2016 at 20:42

pihvi

3192 silver badges6 bronze badges

Sign up to request clarification or add additional context in comments.

2 Comments

AnomalySmith Over a year ago

At least, seems to be a fresh solution one year later! I'll give it a try asap and let you know.Thanks :)

Marc H. Weiner Over a year ago

Great lib, but I prefer answers to SO answers that are based on first principles (don't require libraries), with a mention of the lib for reference in case OP wants that.

velop · Accepted Answer · 2021-11-19 18:46:28Z

8

QueryConvert to the rescue. It will take a parameterized sql string and an object and converts it to pg conforming query config.

type QueryReducerArray = [string, any[], number];
export function queryConvert(parameterizedSql: string, params: Dict<any>) {
    const [text, values] = Object.entries(params).reduce(
        ([sql, array, index], [key, value]) => [sql.replace(`:${key}`, `$${index}`), [...array, value], index + 1] as QueryReducerArray,
        [parameterizedSql, [], 1] as QueryReducerArray
    );
    return { text, values };
}

Usage would be as follows:

client.query(queryConvert("SELECT * FROM foo WHERE id = :id AND color = :color", {id: 22, color: 'blue'}));

answered Nov 19, 2021 at 18:46

velop

3,2641 gold badge29 silver badges31 bronze badges

6 Comments

Artem Kolodko Over a year ago

Thank you! Good util function, no need to use library for this

velop Over a year ago

@ArtemKolodko please also see my latest answer below. Which I think is even neater :)

andymel Over a year ago

I get: Cannot find name 'Dict'. What imports are necessary for this to be recognized?

velop Over a year ago

Hi @andymel it is a custom type I find to be handy: interface Dict<T> { [Key: string]: T }

Christopher Caldwell Over a year ago

Does this introduce any risk of SQL Injection? I don't know for certain, but I think passing the values in the 2nd arg array does some sort of cleanse under the hood to prevent interpolation being used as an avenue for attack.

|

Kevin Sanchez · Accepted Answer · 2015-09-16 13:45:09Z

-1

I have been working with nodejs and postgres. I usually execute queries like this:

client.query("DELETE FROM vehiculo WHERE vehiculo_id= $1", [id], function (err, result){ //Delete a record in de db
    if(err){
        client.end();//Close de data base conection
      //Error code here
    }
    else{
      client.end();
      //Some code here
    }
  });

answered Sep 16, 2015 at 13:45

Kevin Sanchez

2,2712 gold badges14 silver badges19 bronze badges

1 Comment

AnomalySmith Over a year ago

Yeah, I omit callback but there is still the problem.

velop · Accepted Answer · 2022-01-29 08:41:16Z

-1

Not exactly what the OP is asking for. But you could also use:

import SQL from 'sql-template-strings';

client.query(SQL`SELECT * FROM unicorn WHERE color = ${colorName}`)

It uses tag functions in combination with template literals to embed the values

answered Jan 29, 2022 at 8:41

velop

3,2641 gold badge29 silver badges31 bronze badges

5 Comments

Novellizator Over a year ago

will this prevent sql injection?

velop Over a year ago

Yes, that is the purpose of sql-template-strings

Novellizator Over a year ago

Feel dangerous as hell, injecting raw values like this and sanitizing it on the library level. As least fi I understood correctly.

velop Over a year ago

dunno, you always have to trust functions at some point of time. But of course it is easier for an junior to remove SQL from the beginning of the string and missing it in a code review. Than probably my top voted function is a better fit for you.

Jan Over a year ago

It's not sanitized at the library level, the library just converts this to { text: 'SELECT * FROM unicorn WHERE color = $1', values: [colorName] }

Collectives™ on Stack Overflow

Node-postgres: named parameters query (nodejs)

4 Answers 4

2 Comments

6 Comments

1 Comment

5 Comments

Your Answer

Hot Network Questions

Collectives™ on Stack Overflow

4 Answers 4

2 Comments

6 Comments

1 Comment

5 Comments

Your Answer

Sign up or log in

Post as a guest

Related