-
Notifications
You must be signed in to change notification settings - Fork 180
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
We need to be able to use parameterised insert queries to populate a table during migration #1292
Comments
Please note that we don't really need to be careful/sanitize parameters, because you should not use node-pg-migrate at runtime, but only for migration progresses. That aside, what would you propose as an API? And how does a current use-case look like right now (rough example). |
The current use case if for populating a static lookup table. I'd agree in theory you're only using your own data, so you should feel slightly safe, but in an open source environment an innocuous update of a data file could become an injection attack, so I want to be paranoid. I think my proposed api is to have a function that looks exactly like sql but which doesn't mustache. Current use case it this (previously insert with $1... $5)
|
Just me thinking out loud: Not sure if we should provide a However, I even know from myself in company work that there is best practice and real world scenario 🤣 ... So maybe we could add just the absolutely simplest form of such functions that in the end will more or less just to what you already do yourself with the pgm.insert('uk_station', {
station_name: '...',
// data for one station...
});
pgm.insertBulk('uk_station', [
{
station_name: '...',
// data for one station...
},
// ...
]); I have not thought that fully out yet, but I would be okay with it if you explore an initial draft PR on your own with that info and then I can review and see where it is going. |
@Shinigami92 Some kinds of data are part of the schema, or in other words some tables are pointless without data. If I have an entity such as |
Do you know https://www.postgresql.org/docs/current/datatype-enum.html ? |
I was not aware of that. If I were designing a new schema I might use that, but I've inherited an existing schema and reworking it is not an option at this time. That being said, I often like to have metadata attached to my classes/enumerations. |
As I said, I'm not against such an implementation, because I know how real-life and company work is. However, some real-talk... I'm currently in a mental health breakdown (partly because of today...). |
That's certainly fair, I am not entitled to your free labor. If this becomes a blocker for me I will open a PR. |
Description
It is currently quite messy to use parameterised inserts. If you naively use pgm.sql with $1 style parameters you get an error message related to regular expressions which is somewhat impenetrable if your not expecting mustache templating. If you use mustache templating, you are open to injection attacks. The only solution I can find is using pg-format for build the string (and I'm a bit worried if the result of that itself contains, for example $1.
Suggested solution
It would be nice to have access to an equivalent to pgm.sql() which doesn't do the mustaching. psm.sql_raw() for example. Either a new function, or an additional options argument on the existing one. However I prefer the separate function approach as it keeps the meaning simple and the option argument might be confused with an argument for the sql.
Alternative
pg-format is the only one I'm aware of.
Additional context
At minimum the regex error should be decorated with some explanation?
The text was updated successfully, but these errors were encountered: