search

depyronick / clickhouse-client

ClickHouse Client for NodeJS
https://clickhouse.js.org
MIT License
49 stars 11 forks source link

Prepared statements insertion #8

Closed Blaumaus closed 2 years ago

Blaumaus commented 2 years ago

Hello! I love the library and the simplicity of it.

Is it possible to use prepared statements via this client?

Please correct me if I'm wrong, but as I see, you're currently mapping the provided parameters to insert, which probably may be vulnerable to SQL Injection attacks. The prepared statements insertion should prevent it. Is it planned to add this feature into the next releases of this library?

depyronick commented 2 years ago

Hello @Blaumaus!

Thanks for your interest in this library.

As of 1.0.11 version, it's not possible to use prepared statements. I already have an implementation on this, but needs some more testing. I'll be adding them as separate query and insert methods something like queryPrepared and insertPrepared. Prepared statements requires parameter names and data types. I'm trying to figure out how we can achieve such functionality efficiently using javascript objects. SELECT's are not that much of a problem, but we must think how we will handle multiple inserts with prepared statements. It would be awesome, if you have any thought on it.

^ Note: Even though they say that prepared statements are only implemented for selects, there's an issue from 2019 which means the opposite. Maybe we should use prepared statements only for selects. I'm not sure.

With insert method & JSON format, we're using JSONEachRow format to send insert values to clickhouse server. As far as i know unless we use -Raw formats, clickhouse already does necessary escaping actions. I am still in search to find the correct answer to this.

^ Please also see this discussion.