Improved append(...) and nested statements

Andrea Giammarchi · Andrea Giammarchi · commit b3981f159354 · 2019-03-01T10:05:22.000+01:00
This MR addresses all concerns and optimizations reised in felixfbecker#30 and felixfbecker#44 * SQLStatement can be used as value * raw names can be passed via `'${'table_' + name}'` with `'` or `"` transform * `.append(...)` doesn't need a space at the beginning, it's handled automatically
diff --git a/index.js b/index.js
@@ -1,5 +1,13 @@
 'use strict'
 
+const lsp = str => (/^[\s\n\r]/.test(str) ? str : ' ' + str)
+const push = (str, val, statement, spaced) => {
+  const { strings } = statement
+  str[str.length - 1] += spaced ? lsp(strings[0]) : strings[0]
+  str.push(...strings.slice(1))
+  val.push(...(statement.values || statement.bind))
+}
+
 class SQLStatement {
   /**
    * @param {string[]} strings
@@ -25,20 +33,19 @@ class SQLStatement {
    * @returns {this}
    */
   append(statement) {
+    const { strings } = this
     if (statement instanceof SQLStatement) {
-      this.strings[this.strings.length - 1] += statement.strings[0]
-      this.strings.push.apply(this.strings, statement.strings.slice(1))
-      const list = this.values || this.bind
-      list.push.apply(list, statement.values)
+      push(strings, this.values || this.bind, statement, true)
     } else {
-      this.strings[this.strings.length - 1] += statement
+      strings[strings.length - 1] += lsp(statement)
     }
     return this
   }
 
   /**
    * Use a prepared statement with Sequelize.
-   * Makes `query` return a query with `$n` syntax instead of `?`  and switches the `values` key name to `bind`
+   * Makes `query` return a query with `$n` syntax instead of `?`
+   * and switches the `values` key name to `bind`
    * @param {boolean} [value=true] value If omitted, defaults to `true`
    * @returns this
    */
@@ -74,16 +81,54 @@ Object.defineProperty(SQLStatement.prototype, 'sql', {
   },
 })
 
+class SQLQuote {
+  constructor(chr) {
+    this.char = chr
+    this.escape = new RegExp(chr, 'g')
+  }
+}
+
 /**
  * @param {string[]} strings
  * @param {...any} values
  * @returns {SQLStatement}
  */
-function SQL(strings) {
-  return new SQLStatement(strings.slice(0), Array.from(arguments).slice(1))
+function SQL(tpl, ...val) {
+  const strings = [tpl[0]]
+  const values = []
+  for (let { length } = tpl, prev = tpl[0], j = 0, i = 1; i < length; i++) {
+    const current = tpl[i]
+    const value = val[i - 1]
+    if (/^('|")/.test(current) && RegExp.$1 === prev.slice(-1)) {
+      if (this instanceof SQLQuote) {
+        strings[j] = [
+          strings[j].slice(0, -1),
+          String(value).replace(this.escape, '\\$&'),
+          current.slice(1)
+        ].join(this.char)
+      } else {
+        throw new Error(`unable to escape ${value}`)
+      }
+    } else {
+      if (value instanceof SQLStatement) {
+        push(strings, values, value, false)
+        j = strings.length - 1
+        strings[j] += current
+      } else {
+        values.push(value)
+        j = strings.push(current) - 1
+      }
+      prev = strings[j]
+    }
+  }
+  return new SQLStatement(strings, values)
 }
 
+SQL.withQuote = quote => {
+  const sqlQuote = new SQLQuote(quote)
+  return (...args) => SQL.apply(sqlQuote, args)
+}
+SQL.SQL = SQL
+SQL.default = SQL
+SQL.SQLStatement = SQLStatement
 module.exports = SQL
-module.exports.SQL = SQL
-module.exports.default = SQL
-module.exports.SQLStatement = SQLStatement
diff --git a/test/unit.js b/test/unit.js
@@ -118,4 +118,33 @@ describe('SQL', () => {
       assert.deepStrictEqual(statement.values, [123])
     })
   })
+
+  describe('Auto Escape', () => {
+    it('should escape the table name', () => {
+      const sql = SQL.withQuote('`');
+      assert.strictEqual(sql`SELECT * FROM '${`table_${123}`}'`.sql, 'SELECT * FROM `table_123`')
+    })
+    it('should have no extra values', () => {
+      const sql = SQL.withQuote('`');
+      assert.strictEqual(sql`SELECT * FROM '${`table_${123}`}'`.values.length, 0)
+    })
+    it('should throw if no escape', () => {
+      try {
+        SQL`SELECT * FROM '${`table_${123}`}'`
+        assert.strictEqual(true, false)
+      } catch (e) {
+        assert.strictEqual(true, true)
+      }
+    })
+  })
+
+  describe('Nested SQLStatement', () => {
+    it('should pollute the initial statement', () => {
+      const name = 'no-shenanigans'
+      const age = Math.random()
+      const sql = SQL`SELECT * FROM table WHERE ${SQL`name = ${name}`} AND age = ${age}`
+      assert.strictEqual(sql.sql, 'SELECT * FROM table WHERE name = ? AND age = ?')
+      assert.deepStrictEqual(sql.values, [name, age])
+    })
+  })
 })
