Story - Use prepared statements with numbered parameters (#19)

* Initial commit

* version bump

Author: samhuk

package.json

@@ -1,6 +1,6 @@
 {
   "name": "ts-pg-orm",
-  "version": "5.0.0",
+  "version": "5.0.1",
   "description": "Typescript PostgreSQL ORM",
   "main": "dist/index.js",
   "types": "dist/index.d.ts",
@@ -53,8 +53,8 @@
     "access": "public"
   },
   "dependencies": {
-    "@samhuk/data-filter": "^1.0.10",
-    "@samhuk/data-query": "^1.1.7",
+    "@samhuk/data-filter": "^1.1.1",
+    "@samhuk/data-query": "^1.2.1",
     "simple-pg-client": "^1.0.5"
   },
   "devDependencies": {

src/store/count/index.ts

@@ -33,7 +33,7 @@ export const count = async (
 
   const sql = sqlParts.filter(s => s != null).join('\n')
 
-  const row = await db.queryGetFirstRow(sql)
+  const row = await db.queryGetFirstRow(sql, queryInfo?.values)
   const countRaw = (row as any).exact_count
   if (countRaw == null)
     return null

src/store/delete/index.ts

@@ -52,7 +52,7 @@ export const deleteBase = async (
 
   const sql = sqlParts.filter(s => s != null).join('\n')
 
-  const result = await db.query(sql)
+  const result = await db.query(sql, queryInfo?.values)
 
   switch (returnMode) {
     case ReturnMode.RETURN_COUNT:

src/store/exists/index.ts

@@ -25,6 +25,6 @@ export const exists = async (
 
   const sql = sqlParts.filter(s => s != null).join('\n')
 
-  const row = await db.queryGetFirstRow(sql)
+  const row = await db.queryGetFirstRow(sql, queryInfo?.values)
   return (row as any).exists === true
 }

src/store/get/index.ts

@@ -18,17 +18,17 @@ const createColumnsSqlForGetWithNoRelations = (
 const createGetSingleWithNoRelationsSql = (
   options: AnyGetFunctionOptions<false>,
   dataFormat: DataFormat,
-): string => {
+): { sql: string, values: any[] } => {
   const columnsSql = createColumnsSqlForGetWithNoRelations(options, dataFormat)
 
   const whereClause = options.filter != null
     ? createDataFilter(options.filter).toSql({ transformer: node => ({ left: dataFormat.sql.cols[node.field] }) })
     : null
   const rootSelectSql = `select ${columnsSql} from ${dataFormat.sql.tableName}`
-  if (whereClause == null)
-    return `${rootSelectSql} limit 1`
+  if (whereClause?.sql == null)
+    return { sql: `${rootSelectSql} limit 1`, values: [] }
 
-  return `${rootSelectSql} where ${whereClause} limit 1`
+  return { sql: `${rootSelectSql} where ${whereClause.sql} limit 1`, values: whereClause.values }
 }
 
 const getSingleWithNoRelations = async (
@@ -38,28 +38,29 @@ const getSingleWithNoRelations = async (
 ): Promise<any> => {
   const sql = createGetSingleWithNoRelationsSql(options, dataFormat)
 
-  const row = await db.queryGetFirstRow(sql)
+  const row = await db.queryGetFirstRow(sql.sql, sql.values)
 
   return objectPropsToCamelCase(row)
 }
 
 const createGetMultipleWithNoRelationsSql = (
   options: AnyGetFunctionOptions<true>,
   dataFormat: DataFormat,
-): string => {
+): { sql: string, values: any[] } => {
   const columnsSql = createColumnsSqlForGetWithNoRelations(options, dataFormat)
 
   const querySql = options.query != null
     ? createDataQuery(options.query).toSql({
+      includeWhereWord: true,
       filterTransformer: node => ({ left: dataFormat.sql.cols[node.field] }),
       sortingTransformer: node => ({ left: dataFormat.sql.cols[node.field] }),
     })
     : null
   const rootSelectSql = `select ${columnsSql} from ${dataFormat.sql.tableName}`
-  if (querySql == null)
-    return `${rootSelectSql} limit 1`
+  if (querySql?.whereOrderByLimitOffset == null)
+    return { sql: rootSelectSql, values: [] }
 
-  return `${rootSelectSql} ${querySql.whereOrderByLimitOffset}`
+  return { sql: `${rootSelectSql} ${querySql.whereOrderByLimitOffset}`, values: querySql.values }
 }
 
 const getMultipleWithNoRelations = async (
@@ -69,9 +70,9 @@ const getMultipleWithNoRelations = async (
 ): Promise<any> => {
   const sql = createGetMultipleWithNoRelationsSql(options, dataFormat)
 
-  const rows = await db.queryGetRows(sql)
+  const rows = await db.queryGetRows(sql.sql)
 
-  return rows.map(r => objectPropsToCamelCase(r))
+  return rows.map(r => objectPropsToCamelCase(r), sql.values)
 }
 
 export const getSingle = async (

src/store/get/queryPlan/queryNodeToSql.ts

@@ -9,6 +9,7 @@ import { QueryNode, DataNode, QueryNodeSql } from './types'
 type DataNodeQueryInfo = {
   whereClause?: string
   orderByLimitOffset?: string
+  values: any[]
 }
 
 const isQueryNodeRangeConstrained = (queryNode: QueryNode) => {
@@ -26,11 +27,14 @@ const isQueryNodeRangeConstrained = (queryNode: QueryNode) => {
  *
  * If the data node does not have any filter, this will return `null`.
  */
-const createWhereClauseOfDataNode = (dataNode: DataNode<false>): string | null => {
+const createWhereClauseOfDataNode = (dataNode: DataNode<false>, parameterStartIndex: number): { sql: string | null, values: any[] } | null => {
   const dataFilterNodeOrGroup = dataNode.options.filter
   return dataFilterNodeOrGroup != null
     ? createDataFilter(dataFilterNodeOrGroup)
-      .toSql({ transformer: node => ({ left: dataNode.fieldsInfo.fieldToFullyQualifiedColumnName[node.field] }) })
+      .toSql({
+        transformer: node => ({ left: dataNode.fieldsInfo.fieldToFullyQualifiedColumnName[node.field] }),
+        parameterStartIndex,
+      })
     : null
 }
 
@@ -44,48 +48,64 @@ const createWhereClauseOfDataNode = (dataNode: DataNode<false>): string | null =
  * If the data node has a query, but is missing certain parts of the data query, then the where
  * clause and/or the order-by-limit-offset statement can be null.
  */
-const createQueryInfoOfDataNode = (dataNode: DataNode<true>): DataNodeQueryInfo | null => {
+const createQueryInfoOfDataNode = (dataNode: DataNode<true>, parameterStartIndex: number): DataNodeQueryInfo | null => {
   const dataQueryRecord = dataNode.options.query
   if (dataQueryRecord != null) {
     const dataQuerySql = createDataQuery(dataQueryRecord).toSql({
       sortingTransformer: node => ({ left: dataNode.fieldsInfo.fieldToFullyQualifiedColumnName[node.field] }),
       filterTransformer: node => ({ left: dataNode.fieldsInfo.fieldToFullyQualifiedColumnName[node.field] }),
       includeWhereWord: false,
+      parameterStartIndex,
     })
     return {
       whereClause: dataQuerySql.where,
       orderByLimitOffset: dataQuerySql.orderByLimitOffset,
+      values: dataQuerySql.values,
     }
   }
   return null
 }
 
-const createDataNodeQueryInfo = (dataNode: DataNode): DataNodeQueryInfo | null => (
-  dataNode.isPlural
-    ? createQueryInfoOfDataNode(dataNode as DataNode<true>)
-    : {
-      whereClause: createWhereClauseOfDataNode(dataNode as DataNode<false>),
-      orderByLimitOffset: 'limit 1',
-    }
-)
+const createDataNodeQueryInfo = (dataNode: DataNode, parameterStartIndex: number): DataNodeQueryInfo | null => {
+  if (dataNode.isPlural)
+    return createQueryInfoOfDataNode(dataNode as DataNode<true>, parameterStartIndex)
+
+  const whereClause = createWhereClauseOfDataNode(dataNode as DataNode<false>, parameterStartIndex)
+
+  return {
+    whereClause: whereClause?.sql,
+    orderByLimitOffset: 'limit 1',
+    values: whereClause?.values ?? [],
+  }
+}
 
 /**
  * Converts all of the non-root (therefore *non-plural*) data nodes within `queryNode` into a
  * series of new-line-separated `left join` sql statements, with each data node's filter applied
  * alongside each left join as a where clause (minus the actual "where" word since joins just
  * need an " and " separator).
  */
-const createLeftJoinsSql = (queryNode: QueryNode) => (
-  Object.values(queryNode.nonRootDataNodes).map(dataNode => {
+const createLeftJoinsSql = (queryNode: QueryNode, parameterStartIndex: number): { sql: string, values: any[] } => {
+  const values: any[] = []
+  let _parameterStartIndex = parameterStartIndex
+
+  const sql = Object.values(queryNode.nonRootDataNodes).map(dataNode => {
     const linkedColumnName = dataNode.dataFormat.sql.cols[dataNode.fieldRef.field]
     const parentLinkedColumnName = dataNode.parent.dataFormat.sql.cols[dataNode.parentFieldRef.field]
-    const whereClause = createWhereClauseOfDataNode(dataNode)
+    const whereClause = createWhereClauseOfDataNode(dataNode, _parameterStartIndex)
+    if (whereClause != null) {
+      _parameterStartIndex += whereClause.values.length
+      values.push(...whereClause.values)
+    }
     // E.g. left join "userImage" "1" on "1"."user_id" = "0"."id" and "1"."date_deleted" is not null\n
     return filterForNotNullAndEmpty([
       `left join ${dataNode.dataFormat.sql.tableName} ${dataNode.tableAlias} on ${dataNode.tableAlias}.${linkedColumnName} = ${dataNode.parent.tableAlias}.${parentLinkedColumnName}`,
-      whereClause,
+      whereClause?.sql,
     ]).join(' and ')
-  }).join('\n'))
+  }).join('\n')
+
+  return { sql, values }
+}
 
 const createLinkedFieldWhereClause = (
   queryNode: QueryNode,
@@ -141,6 +161,8 @@ const createLinkedFieldWhereClause = (
 export const toSql = (queryNode: QueryNode, linkedFieldValues: any[]) => {
   const isManyToMany = queryNode.rootDataNode.relation?.type === RelationType.MANY_TO_MANY
   const isRangeConstrained = isQueryNodeRangeConstrained(queryNode) && linkedFieldValues?.length > 0
+  const values: any[] = []
+  let parameterStartIndex = 1
 
   const sqlParts: string[] = ['select']
 
@@ -272,12 +294,17 @@ export const toSql = (queryNode: QueryNode, linkedFieldValues: any[]) => {
     }
 
     // -- Root data node query SQL
-    const rootDataNodeQueryInfo = createDataNodeQueryInfo(rootDataNode)
+    const rootDataNodeQueryInfo = createDataNodeQueryInfo(rootDataNode, parameterStartIndex)
     if (rootDataNodeQueryInfo?.whereClause != null)
       sqlParts.push(`and ${rootDataNodeQueryInfo.whereClause}`)
     if (rootDataNodeQueryInfo?.orderByLimitOffset != null)
       sqlParts.push(rootDataNodeQueryInfo.orderByLimitOffset)
 
+    if (rootDataNodeQueryInfo != null) {
+      parameterStartIndex += rootDataNodeQueryInfo.values.length
+      values.push(...rootDataNodeQueryInfo.values)
+    }
+
     // -- As ... sql
     let asSql: string
     if (isManyToMany)
@@ -291,9 +318,12 @@ export const toSql = (queryNode: QueryNode, linkedFieldValues: any[]) => {
   // ----------------------------------------------------------------------------------
   // -- To-one related data left joins
   // ----------------------------------------------------------------------------------
-  const leftJoinsSql = createLeftJoinsSql(queryNode)
-  if (leftJoinsSql != null && leftJoinsSql.length > 0)
-    sqlParts.push(leftJoinsSql)
+  const leftJoinsSql = createLeftJoinsSql(queryNode, parameterStartIndex)
+  if (leftJoinsSql != null && leftJoinsSql.sql.length > 0)
+    sqlParts.push(leftJoinsSql.sql)
+
+  parameterStartIndex += leftJoinsSql.values.length
+  values.push(...leftJoinsSql.values)
 
   // ----------------------------------------------------------------------------------
   // -- Linked field values where clause and (possibly) root data node query
@@ -304,7 +334,7 @@ export const toSql = (queryNode: QueryNode, linkedFieldValues: any[]) => {
       sqlParts.push(`where ${linkedFieldValuesWhereClause}`)
   }
   else {
-    const rootDataNodeQueryInfo = createDataNodeQueryInfo(rootDataNode)
+    const rootDataNodeQueryInfo = createDataNodeQueryInfo(rootDataNode, parameterStartIndex)
     const rootDataNodeTotalWhereClauseSegments = [linkedFieldValuesWhereClause, rootDataNodeQueryInfo?.whereClause].filter(s => s != null)
     if (rootDataNodeTotalWhereClauseSegments.length > 0) {
       const rootDataNodeTotalWhereClause = rootDataNodeTotalWhereClauseSegments.join(' and ')
@@ -313,9 +343,14 @@ export const toSql = (queryNode: QueryNode, linkedFieldValues: any[]) => {
 
     if (rootDataNodeQueryInfo?.orderByLimitOffset != null)
       sqlParts.push(rootDataNodeQueryInfo.orderByLimitOffset)
+
+    if (rootDataNodeQueryInfo != null) {
+      parameterStartIndex += rootDataNodeQueryInfo.values.length
+      values.push(...rootDataNodeQueryInfo.values)
+    }
   }
 
-  return sqlParts.join('\n')
+  return { sql: sqlParts.join('\n'), values }
 }
 
 export const queryNodeToSql = <TIsPlural extends boolean = boolean>(
@@ -325,27 +360,39 @@ export const queryNodeToSql = <TIsPlural extends boolean = boolean>(
   let queryNodeSql: QueryNodeSql
   let currentLinkedFieldValues = linkedFieldValues
 
+  const initialSql = toSql(queryNode, currentLinkedFieldValues)
+
+  const updateSql = () => {
+    const newSql = toSql(queryNode, currentLinkedFieldValues)
+    queryNodeSql.sql = newSql.sql
+    queryNodeSql.values = newSql.values
+  }
+
   return queryNodeSql = {
-    sql: toSql(queryNode, currentLinkedFieldValues),
+    sql: initialSql.sql,
+    values: initialSql.values,
     updateLinkedFieldValues: (newLinkedFieldValues: any[] | null) => {
       currentLinkedFieldValues = newLinkedFieldValues
-      queryNodeSql.sql = toSql(queryNode, currentLinkedFieldValues)
+
+      updateSql()
     },
     modifyRootDataNodeDataFilter: newDataFilter => {
       if (queryNode.rootDataNode.isPlural)
         throw new Error('Cannot update root data node data filter, it is plural. Try calling modifyRootDataNodeDataQuery().')
 
       const _nonPluralRootDataNode = queryNode.rootDataNode as DataNode<false>
       _nonPluralRootDataNode.options.filter = newDataFilter
-      queryNodeSql.sql = toSql(queryNode, currentLinkedFieldValues)
+
+      updateSql()
     },
     modifyRootDataNodeDataQuery: newDataQuery => {
       if (!queryNode.rootDataNode.isPlural)
         throw new Error('Cannot update root data node data query, it is non-plural. Try calling modifyRootDataNodeDataFilter().')
 
       const _pluralRootDataNode = queryNode.rootDataNode as DataNode<true>
       _pluralRootDataNode.options.query = newDataQuery
-      queryNodeSql.sql = toSql(queryNode, currentLinkedFieldValues)
+
+      updateSql()
     },
   }
 }

src/store/get/queryPlan/queryPlan.ts

@@ -13,15 +13,15 @@ const createQueryNodeSql = (
   queryNode: QueryNode,
   linkedFieldValues: any[] | null,
   queryNodeSqlDict: { [queryNodeId: number]: QueryNodeSql },
-): string => {
+): { sql: string, values: any[] } => {
   /* Try and find any pre-existing QueryNodeSql for the current node.
    * If it exists, update the linked field values-dependant part of it
    * and then return the SQL text.
    */
   const preExistingQueryNodeSql = queryNodeSqlDict[queryNode.id]
   if (preExistingQueryNodeSql != null) {
     preExistingQueryNodeSql.updateLinkedFieldValues(linkedFieldValues)
-    return preExistingQueryNodeSql.sql
+    return { sql: preExistingQueryNodeSql.sql, values: [] } // TODO This is not used anymore, for now.
   }
 
   /* Else (if pre-existing QueryNodeSql does not exist), then convert
@@ -30,7 +30,7 @@ const createQueryNodeSql = (
    */
   const queryNodeSqlObj = queryNode.toSql(linkedFieldValues)
   queryNodeSqlDict[queryNode.id] = queryNodeSqlObj
-  return queryNodeSqlObj.sql
+  return { sql: queryNodeSqlObj.sql, values: queryNodeSqlObj.values }
 }
 
 /**
@@ -71,7 +71,7 @@ const executeQueryNode = async (
    */
   const queryNodeSql = createQueryNodeSql(queryNode, linkedFieldValues, queryNodeSqlDict)
   // Execute sql with db service
-  const _rows: any[] = await db.queryGetRows(queryNodeSql)
+  const _rows: any[] = await db.queryGetRows(queryNodeSql.sql, queryNodeSql.values)
   const rows = _rows ?? []
   // Store the results in the state object
   results[queryNode.id] = rows

src/store/get/queryPlan/types.ts

@@ -177,6 +177,10 @@ export type QueryNodeSql<
    * SQL query text
    */
   sql: string
+  /**
+   * The values for any numbered parameters (as part of a prepared statement)
+   */
+  values: any[]
   /**
    * Updates the linked field values-dependant part of the SQL query text.
    */