The latest articles on DEV Community by Julien Cavaleiro (@juliencavaleiro). https://dev.to/juliencavaleiro https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F184454%2F380c6081-fb16-414c-a06a-0902bb5e9232.jpg https://dev.to/juliencavaleiro en Julien Cavaleiro Sun, 24 May 2020 19:17:55 +0000 https://dev.to/juliencavaleiro/exploration-of-tagged-template-literals-2jkl https://dev.to/juliencavaleiro/exploration-of-tagged-template-literals-2jkl <p>Hi, this is my first-ever blog post. I'm a French developer around Strasbourg. It's a repost from <a href="https://cavaleiro.fr">my website</a>. Feel free to comment to help me improve my writing and my English (I'm still learning it).</p> <p>Tagged template literal is a powerful feature of JS, standardized with ES2015,<br> and supported by most browser.</p> <blockquote> <p>But, how does it work exactly?</p> </blockquote> <p>It's a special function where you can add <strong>custom interpolation</strong>.</p> <p>Interpolation example :</p> <ul> <li>highlight text.</li> <li>create custom CSS (see css-in-js solutions).</li> <li>interpolate variables from SQL query (more below).</li> </ul> <p>And here a custom tagged template function:<br> </p> <div class="highlight"><pre class="highlight javascript"><code><span class="kd">function</span> <span class="nx">myTaggedTemplate</span><span class="p">(</span><span class="nx">parts</span><span class="p">,</span> <span class="nx">coolVariable</span><span class="p">)</span> <span class="p">{</span> <span class="nx">console</span><span class="p">.</span><span class="nx">log</span><span class="p">(</span><span class="nx">parts</span><span class="p">)</span> <span class="nx">console</span><span class="p">.</span><span class="nx">log</span><span class="p">(</span><span class="nx">coolVariable</span><span class="p">)</span> <span class="p">}</span> <span class="nx">myTaggedTemplate</span><span class="s2">`Tagged template are </span><span class="p">${</span><span class="dl">"</span><span class="s2">cool</span><span class="dl">"</span><span class="p">}</span><span class="s2">.`</span> <span class="c1">// =&gt; ["Tagged template are ", "."]</span> <span class="c1">// =&gt; cool</span> </code></pre></div> <blockquote> <p>Great, but how do I do custom interpolation? 😁</p> </blockquote> <p>Well, ok. I'm going to provide a better example. But before that, a bit more why I ended up with tagged template.</p> <p>I'm working on a company which build an ERP. We are trying to modernize the core of it and make the modernization of it as simple as possible<br> for other employee.</p> <p>In that research, we ended wanting to have a small wrapper around SQL because most employee who use our tools known SQL well<br> but not JS.</p> <p><em>Merge query with user input is not a good idea to avoid <strong>SQL injection</strong>.</em></p> <p>This is why we end up with tagged template. Tagged template isolate user input by default. <strong>And this is a wonderful feature</strong>.</p> <p>The other interesting part : SQL driver already sanitize input for SQL command.<br> Since tagged template separate query from input, <em>the work is done.</em></p> <p>Here how it looks :<br> </p> <div class="highlight"><pre class="highlight javascript"><code><span class="kd">const</span> <span class="p">{</span> <span class="nx">query</span><span class="p">,</span> <span class="nx">variables</span> <span class="p">}</span> <span class="o">=</span> <span class="nx">query</span><span class="s2">` SELECT desc, unit, price from sales where status = </span><span class="p">${</span><span class="dl">"</span><span class="s2">completed</span><span class="dl">"</span><span class="p">}</span><span class="s2"> and customer_id = </span><span class="p">${</span><span class="mi">15735</span><span class="p">}</span><span class="s2"> order by created_at desc `</span> <span class="c1">// query =&gt; select desc, unit, price from sales where status = :0 order by created_at desc</span> <span class="c1">// variables =&gt; ["completed", 15735]</span> </code></pre></div> <p><em><code>completed</code> and <code>15735</code> are inline here but that data came from user input.</em></p> <p>And how it works :<br> </p> <div class="highlight"><pre class="highlight javascript"><code><span class="c1">// we use `...variables` because we don't know how many `${}` developers are going to use.</span> <span class="kd">function</span> <span class="nx">query</span><span class="p">(</span><span class="nx">parts</span><span class="p">,</span> <span class="p">...</span><span class="nx">variables</span><span class="p">)</span> <span class="p">{</span> <span class="kd">let</span> <span class="nx">query</span> <span class="o">=</span> <span class="dl">""</span> <span class="c1">// we need to concatenate the string parts.</span> <span class="k">for</span> <span class="p">(</span><span class="kd">let</span> <span class="nx">i</span> <span class="o">=</span> <span class="mi">0</span><span class="p">,</span> <span class="nx">size</span> <span class="o">=</span> <span class="nx">parts</span><span class="p">.</span><span class="nx">length</span><span class="p">;</span> <span class="nx">i</span> <span class="o">&lt;</span> <span class="nx">size</span><span class="p">;</span> <span class="nx">i</span><span class="o">++</span><span class="p">)</span> <span class="p">{</span> <span class="nx">query</span> <span class="o">+=</span> <span class="nx">parts</span><span class="p">[</span><span class="nx">i</span><span class="p">]</span> <span class="c1">// if we have a variables for it, we need to bind it.</span> <span class="k">if</span> <span class="p">(</span><span class="nx">variables</span><span class="p">[</span><span class="nx">i</span><span class="p">])</span> <span class="p">{</span> <span class="nx">query</span> <span class="o">+=</span> <span class="dl">"</span><span class="s2">:</span><span class="dl">"</span> <span class="o">+</span> <span class="nx">i</span> <span class="p">}</span> <span class="p">}</span> <span class="k">return</span> <span class="p">{</span> <span class="nx">query</span><span class="p">,</span> <span class="nx">variables</span> <span class="p">}</span> <span class="p">}</span> </code></pre></div> <p>The function split query from variables by default. And then, we can leverage on the SQL driver to make a safe query and avoid SQL injection.</p> <p>The example right here is because I use <code>oracle</code> as a database at work. Other<br> drivers my expect something else then <code>:0</code>, <code>:1</code>, and so on.</p> <p>Same example with execute from <code>oracledb</code><br> </p> <div class="highlight"><pre class="highlight javascript"><code><span class="kd">const</span> <span class="p">{</span> <span class="nx">query</span><span class="p">,</span> <span class="nx">variables</span> <span class="p">}</span> <span class="o">=</span> <span class="nx">query</span><span class="s2">` SELECT desc, unit, price from sales where status = </span><span class="p">${</span><span class="dl">"</span><span class="s2">completed</span><span class="dl">"</span><span class="p">}</span><span class="s2"> and customer_id = </span><span class="p">${</span><span class="mi">15735</span><span class="p">}</span><span class="s2"> order by created_at desc `</span> <span class="c1">// connection object from oracledb</span> <span class="kd">const</span> <span class="nx">result</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">connection</span><span class="p">.</span><span class="nx">execute</span><span class="p">(</span><span class="nx">query</span><span class="p">,</span> <span class="nx">variables</span><span class="p">)</span> </code></pre></div> <p>Pretty cool, uh?</p> javascript