Raxol.Query (Raxol v2.6.0)

View Source

Safe query building utilities for Raxol.

Provides functions for building parameterized queries to prevent SQL injection.

Example

{:ok, result} = Raxol.Query.parameterized(
  "SELECT * FROM users WHERE id = ?",
  [user_id]
)

Summary

Functions

Execute a parameterized query (stub - requires database adapter).

Build a safe IN clause.

Build a safe LIKE pattern.

Create a parameterized query.

Validate that a value is safe for use in a query.

Types

query()

@type query() :: %{sql: String.t(), params: list()}

Functions

execute(map)

@spec execute(query()) :: {:ok, []}

Execute a parameterized query (stub - requires database adapter).

In a real implementation, this would execute against a database.

in_clause(values)

@spec in_clause(list()) :: {:ok, String.t(), list()} | {:error, term()}

Build a safe IN clause.

Example

{:ok, clause, params} = Raxol.Query.in_clause([1, 2, 3])
# => {:ok, "$1, $2, $3", [1, 2, 3]}

like_pattern(value)

@spec like_pattern(String.t()) :: String.t()

Build a safe LIKE pattern.

Escapes special characters in the pattern to prevent injection.

Example

pattern = Raxol.Query.like_pattern("user%input")
# => "user\%input%"

parameterized(template, params)

@spec parameterized(String.t(), list()) ::
  {:ok, query()}
  | {:error, {:param_mismatch, non_neg_integer(), non_neg_integer()}}

Create a parameterized query.

Returns a query structure that safely separates the query template from user-provided values.

Example

{:ok, query} = Raxol.Query.parameterized(
  "SELECT * FROM users WHERE id = ? AND active = ?",
  [user_id, true]
)

# query => %{sql: "SELECT * FROM users WHERE id = $1 AND active = $2", params: [user_id, true]}

validate_value(value)

@spec validate_value(any()) :: :ok | {:error, :unsafe}

Validate that a value is safe for use in a query.

Example

:ok = Raxol.Query.validate_value("normal string")
{:error, :unsafe} = Raxol.Query.validate_value("'; DROP TABLE users; --")