Software engineer & creator of internet things. Node.js aficionado since 2011, React lover since 2014.
Head of solarwallet.io at SatoshiPay (satoshipay.io).
Nahhh, I appreciate the "we". Sounds like a community effort already :)
I try to keep it shorter this time... ^
So the big picture overview as of right now is:
Squid:
has two functionalities
mark sql queries as such via the sql template tag
turn the query string with the interpolated expressions into a query object (at runtime)
that query object varies between database drivers, so as of right now it requires either
having a tiny adapter for each db in squid (maybe three lines of code each, but yeah, not 100% elegant)
wrapping the db driver's query function into a three-line adapter function
it's the runtime side of the whole thing
Postguard
is only a static build step, no runtime
might make it more generic in the future, supporting other databases as well
or create sibling tools for other databases, sharing the babel/typescript parts of the code
Checking every query invocation means that squid HAS to be tied to a specific framework or set of frameworks
No, squid could basically be completely db-agnostic, since all it does is super generic. All the validation happens on build time by postguard.
The reason why it's SQL-injection proofed is that squid doesn't merge the expressions into the SQL query string yet, but produces a string with parameters á la $1 and an array of the expression values, so the database driver can figure out how to escape them in a water-proof way.
I hope that shines some light on things, because it seems there was some confusion about the big picture concepts (-> will need to improve the readme files, i guess).
But sure, there is still room for various improvements and I love to hear your thoughts :)
For further actions, you may consider blocking this person and/or reporting abuse
We're a place where coders share, stay up-to-date and grow their careers.
Nahhh, I appreciate the "we". Sounds like a community effort already :)
I try to keep it shorter this time... ^
So the big picture overview as of right now is:
Squid:
sqltemplate tagPostguard
No, squid could basically be completely db-agnostic, since all it does is super generic. All the validation happens on build time by postguard.
The reason why it's SQL-injection proofed is that squid doesn't merge the expressions into the SQL query string yet, but produces a string with parameters á la
$1and an array of the expression values, so the database driver can figure out how to escape them in a water-proof way.I hope that shines some light on things, because it seems there was some confusion about the big picture concepts (-> will need to improve the readme files, i guess).
But sure, there is still room for various improvements and I love to hear your thoughts :)