tl;dr it's just abusing ES6's template string functions > const kid = sq.from`pe...

jolmg · on Sept 19, 2018

I don't think it's abuse, but rather a very appropriate use of ES6 template string functions. I think the point is that you can do:

> const kid = sq.from`person`.where`age < ${kids_age}`

and it will be safe from SQL injection, because `where` is probably defined something like:

    function where(strings, ...interpolations) {
      var result = "";
      for (var i = 0; i < interpolations.length; i++) {
        result += strings[i] + this.sql_quote(interpolations[i]);
      }
      result += strings[interpolations.length];
      return this.add_to_query(result);
    }

EDIT: I agree with your EDIT.

AustinG08 · on Sept 19, 2018

It's a nice feature when used appropriately. Article says at the bottom in bold: "It’s a nice-to-know feature, good for impressing others, but my suggestion is to use this only if it’s the clearest way to express your concepts."

mrspeaker · on Sept 19, 2018

So far in the wild I've mostly seen it being used to confuse. Like in the very first part of the TestCafe documentaion (https://github.com/DevExpress/testcafe#creating-the-test):

    fixture `Getting Started`// declare the fixture
      .page `https://devexpress.github.io/testcafe/example`;  // specify the start page


    //then create a test and place your code there
    test('My first test', async t => {
      await t
        .typeText('#developer-name', 'John Smith')
        .click('#submit-button')
      // ...
    });

I spent ages going through their docs trying to find out why they specify their two main functions differently (`fixture` using tagged templates and `test` as a regular functions). In the docs it mentions "doesn't matter which way you do it". It's just there to confuse / impress.

jameslk · on Sept 19, 2018

It's a nice feature, when used for template strings. Looking at the library, it just looks awkward:

  sq.from`book`
    .return`distinct author`
    .where({ genre: 'Fantasy' })
    .where({ language: 'French' })

I can already hear the questions:

"Why do some functions require parenthesis and some don't?" "When do I need to use parenthesis?"

It's just unnecessarily confusing.

lhorie · on Sept 19, 2018

You're framing this as a question of syntax preference, but actually the whole point of template tags is to cater to a very specific need: the ability to sanitize an interpolated value.

In this specific example, let's say you have:

    sql.from`book`.return`distinct ${field}`

You don't want a sql injection to occur if somehow `field = 'author'; drop table book; --` or similar.

With a plain function call, the library would have no way of knowing what to sanitize.

    sql.from('book').return(`distinct ${field}`) // hello security hole

And without template tags, the API would arguably look more complex, and require the user to discover/learn an ad-hoc interpolation DSL:

    sql.from('book').return('distinct ${field}', {field})

You can still target the template tag's raw API requirements without the syntax (though you'd lose readability with multiple interpolations):

    sql.from('book').return(['distinct'], field)

AustinG08 · on Sept 19, 2018

Fair enough. I primarily use it for GraphQL queries. Each of my queries exist in a file queryName.jsx. Those files consist of the following code:

  import gql from 'graphql-tag';
  
  export default gql`
    query Blah($var: VarType!) {
      blah(var: $var) {
        id
        etc
      }
    }
  `;

I like it. Not confusing to me or anyone on my team. To each their own.