Add .toSqlString() escapeId overriding

closes #57 closes #58
mysqljs · Mar 7, 2022 · 2ccc17a · 2ccc17a
1 parent cd52855
commit 2ccc17a
Show file tree

Hide file tree

Showing 4 changed files with 19 additions and 0 deletions.
diff --git a/HISTORY.md b/HISTORY.md
@@ -1,3 +1,8 @@
+unreleased
+==========
+
+  * Add `.toSqlString()` escapeId overriding
+
 2.3.3 / 2022-03-06
 ==================
 

diff --git a/README.md b/README.md
@@ -172,6 +172,10 @@ console.log(sql); // SELECT `username`, `email` FROM `users` WHERE id = 1
 ```
 **Please note that this last character sequence is experimental and syntax might change**
 
+To skip escaping one or more of the columns names that you pass to `SqlString.escapeId()`
+you may use `SqlString.raw()` similarly to how it is used with `SqlString.escape()`.
+See above for more details.
+
 When you pass an Object to `.escape()` or `.format()`, `.escapeId()` is used to avoid SQL injection in object keys.
 
 ### Formatting queries

diff --git a/lib/SqlString.js b/lib/SqlString.js
@@ -24,6 +24,8 @@ SqlString.escapeId = function escapeId(val, forbidQualified) {
     }
 
     return sql;
+  } else if (typeof val.toSqlString === 'function') {
+    return String(val.toSqlString());
   } else if (forbidQualified) {
     return '`' + String(val).replace(ID_GLOBAL_REGEXP, '``') + '`';
   } else {

diff --git a/test/unit/test-SqlString.js b/test/unit/test-SqlString.js
@@ -46,6 +46,14 @@ test('SqlString.escapeId', {
 
   'nested arrays are flattened': function() {
     assert.equal(SqlString.escapeId(['a', ['b', ['t.c']]]), '`a`, `b`, `t`.`c`');
+  },
+
+  'raw not escaped': function () {
+    assert.equal(SqlString.escapeId(SqlString.raw('*')), '*');
+  },
+
+  'raw within array not escaped': function () {
+    assert.equal(SqlString.escapeId(['a', SqlString.raw('*'), 'b']), '`a`, *, `b`');
   }
 });