doc: correct and expand documentation for SQLTagStore #60200
Conversation
|
Review requested:
|
nodejs-github-bot
added
doc
Renegade334
force-pushed
the
doc-sqlite-tagstore
branch
2 times, most recently
from
e9601ee to
ca594f6
Compare
| syntax. Do not add parameter binding placeholders (`?` etc.) to the SQL query | ||
| string itself. |
There was a problem hiding this comment.
Would it be possible to explain why you shouldn't add parameter binding placeholders to the SQL query string?
There was a problem hiding this comment.
Just to clarify, is that a suggestion for the docs, or a question?
There was a problem hiding this comment.
I think it would be good to explain that the tag store inserts these placeholders in the prepared statement.
Maybe there should be a reference to SQL Injection, because
sql.get`SELECT * FROM t1 WHERE id = ${id}`
looks really similar to
db.prepare(`SELECT * FROM t1 WHERE id = ${id}`).get();
but of course the second one is susceptible to SQL Injection.
There was a problem hiding this comment.
OK, I didn't read until the bottom, I see SQL Injection is mentioned below.
There was a problem hiding this comment.
Maybe there should be a reference to SQL Injection
I've added an insert regarding the difference between ${value} in tagged and untagged literals. Hopefully that should suffice.
Renegade334
force-pushed
the
doc-sqlite-tagstore
branch
from
8a576e5 to
35c7030
Compare
|
Rebased for merge conflict. |
doc/api/sqlite.md
Outdated
| parameters to the underlying prepared statement. For example: | ||
|
|
||
| ```js | ||
| tagStore.get`SELECT ${value}`; |
There was a problem hiding this comment.
tagStore should be defined, otherwise it is unclear how it is created.
Also I would recommend naming it sql or something else that is concise, since that is the whole point of the tagged literal API right?
There was a problem hiding this comment.
If anything it should be sqlTagStore to match the class block. I don't think the meaning is ambiguous, though.
There was a problem hiding this comment.
I think adding a
const tagStore = db.createTagStore();
at the top would be helpful.
There was a problem hiding this comment.
Turtle problem, no? db isn't explicitly defined either!
This is really only intended to be an inline comment to show the difference between the two styles, and the full example block below still contains the concrete self-contained demonstration. I don't think there's much benefit to bloating these.
There was a problem hiding this comment.
There are other examples that use db as a name for a DatabaseSync handle.
This is really only intended to be an inline comment to show the difference between the two styles, and the full example block below still contains the concrete self-contained demonstration.
Fair point, maybe they can be swapped? First show the general usage, and then the difference?
I still think naming it sql would make the elegance of the API show, but I trust your judgement.
Renegade334
force-pushed
the
doc-sqlite-tagstore
branch
from
35c7030 to
98bd239
Compare
7 participants
Cleaning up a few issues:
.reset()was never implemented, only.clear(). There's no need for both to exist; the easiest thing is just to remove the dead reference.StatementSyncwas sliced in half, messing with the doc tooling.