query

package

v0.1.6 Latest Latest Go to latest Published: Feb 26, 2026 License: MIT Imports: 5 Imported by: 0

Details

Valid go.mod file
Redistributable license
Tagged version
Stable version
Learn more about best practices

Repository

github.com/faucetdb/faucet

Links

Open Source Insights

Documentation ¶

Overview ¶

Package query provides filter parsing, query building, and SQL injection prevention for the Faucet API layer. It converts DreamFactory-compatible filter expressions into parameterized SQL WHERE clauses.

Index ¶

func AtPPlaceholder(index int) string
func BuildLimitOffset(limit, offset int) string
func BuildOrderSQL(clauses []OrderClause, quoteFn func(string) string) string
func DollarPlaceholder(index int) string
func MySQLQuote(name string) string
func ParseFieldSelection(fields string) ([]string, error)
func PostgresQuote(name string) string
func QuestionPlaceholder(_ int) string
func QuoteIdentifiers(names []string, quoteFn func(string) string) (string, error)
func SQLServerQuote(name string) string
func SanitizeStringValue(val string, maxLen int) (string, error)
func ValidateIdentifier(name string) error
func ValidateIdentifiers(names []string) error
type OrderClause
- func ParseOrderClause(order string) ([]OrderClause, error)
- func (o OrderClause) String() string
type ParsedFilter
- func ParseFilter(filter string, ph PlaceholderFunc, startIndex int) (*ParsedFilter, error)
type PlaceholderFunc

Constants ¶

This section is empty.

Variables ¶

This section is empty.

Functions ¶

func AtPPlaceholder ¶

func AtPPlaceholder(index int) string

AtPPlaceholder returns @p1, @p2, etc. (SQL Server).

func BuildLimitOffset ¶

func BuildLimitOffset(limit, offset int) string

BuildLimitOffset returns a LIMIT/OFFSET SQL fragment suitable for PostgreSQL and MySQL. Returns empty string if limit is 0.

func BuildOrderSQL ¶

func BuildOrderSQL(clauses []OrderClause, quoteFn func(string) string) string

BuildOrderSQL builds an ORDER BY SQL fragment from order clauses, applying the given quote function to column names.

func DollarPlaceholder ¶

func DollarPlaceholder(index int) string

DollarPlaceholder returns $1, $2, etc. (PostgreSQL).

func MySQLQuote ¶

func MySQLQuote(name string) string

MySQLQuote returns a MySQL-style backtick-quoted identifier.

func ParseFieldSelection ¶

func ParseFieldSelection(fields string) ([]string, error)

ParseFieldSelection parses a comma-separated field list like "id,name,email" into a slice of validated column names. Whitespace around names is trimmed. Returns nil for an empty input string.

func PostgresQuote ¶

func PostgresQuote(name string) string

PostgresQuote returns a PostgreSQL-style double-quoted identifier.

func QuestionPlaceholder ¶

func QuestionPlaceholder(_ int) string

QuestionPlaceholder returns ? for all params (MySQL, SQLite).

func QuoteIdentifiers ¶

func QuoteIdentifiers(names []string, quoteFn func(string) string) (string, error)

QuoteIdentifiers validates, quotes, and joins column names into a comma-separated SQL fragment. For example, with PostgreSQL quoting: ["id", "name", "email"] -> `"id", "name", "email"`

func SQLServerQuote ¶

func SQLServerQuote(name string) string

SQLServerQuote returns a SQL Server-style bracket-quoted identifier.

func SanitizeStringValue ¶

func SanitizeStringValue(val string, maxLen int) (string, error)

SanitizeStringValue removes null bytes and validates string length. This is a secondary defense; parameterization is the primary protection.

func ValidateIdentifier ¶

func ValidateIdentifier(name string) error

ValidateIdentifier ensures a SQL identifier (column name, table name) is safe. It rejects empty strings, strings over 128 characters, strings that don't match the identifier pattern, and SQL reserved words.

func ValidateIdentifiers ¶

func ValidateIdentifiers(names []string) error

ValidateIdentifiers validates multiple identifiers, returning the first error found.

Types ¶

type OrderClause ¶

type OrderClause struct {
	Column    string // Validated column name.
	Direction string // "ASC" or "DESC".
}

OrderClause represents a single column ordering directive.

func ParseOrderClause ¶

func ParseOrderClause(order string) ([]OrderClause, error)

ParseOrderClause parses a DreamFactory-style order string like "created_at DESC, name ASC" into validated OrderClause slices. Each element is "column [ASC|DESC]"; direction defaults to ASC if omitted.

func (OrderClause) String ¶

func (o OrderClause) String() string

String returns the SQL fragment for this order clause, e.g. "created_at DESC".

type ParsedFilter ¶

type ParsedFilter struct {
	SQL    string        // e.g. "(age > $1) AND (status = $2)"
	Params []interface{} // e.g. [21, "active"]
}

ParsedFilter holds a parameterized SQL WHERE fragment and its bind values.

func ParseFilter ¶

func ParseFilter(filter string, ph PlaceholderFunc, startIndex int) (*ParsedFilter, error)

ParseFilter parses a DreamFactory-compatible filter string into a parameterized SQL WHERE clause fragment.

ph controls placeholder style ($1, ?, @p1). startIndex is the 1-based index for the first placeholder (useful when appending to an existing parameterized query).

Returns nil, nil for an empty filter string.

type PlaceholderFunc ¶

type PlaceholderFunc func(index int) string

PlaceholderFunc returns the SQL placeholder for a given 1-based parameter index.

Source Files ¶

View all Source files

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL