client.execute("select * from foo where id = ?", [1])
Where they can safely pass a list of parameters into their query instead of needing to do their own escaping or using prepared statements. This is a common pattern across drivers to allow client side interpolation, and in our case, this would be highly preferred over preparing statements.
For JavaScript, we came across sqlstring, which supports the same API as well as some other goodies. We should leverage this automatically internally. If parameters are passed, run it through SqlString.format(...).
It's worth noting that SqlString comes from mysqljs ecosystem, and is used within the mysqljs/mysql driver.
It'd be expected to support a syntax like:
Where they can safely pass a list of parameters into their query instead of needing to do their own escaping or using prepared statements. This is a common pattern across drivers to allow client side interpolation, and in our case, this would be highly preferred over preparing statements.
For JavaScript, we came across sqlstring, which supports the same API as well as some other goodies. We should leverage this automatically internally. If parameters are passed, run it through
SqlString.format(...).It's worth noting that SqlString comes from
mysqljsecosystem, and is used within themysqljs/mysqldriver.