• Start

Languages

/

JavaScript

/

API Reference

/

Utilities

Escape functions

Functions for escaping identifiers and values in SurrealQL queries.

Escape functions provide safe handling of identifiers and values in SurrealQL queries when you need to construct queries manually.

!NOTE: Tip
Prefer using surql or BoundQuery for automatic parameterisation. Use escape functions only when absolutely necessary.

Import:

import { 
    escapeIdent,
    escapeNumber,
    escapeIdPart,
    escapeRangeBound
} from 'surrealdb';

Source: utils/escape.ts

Escape table names, field names, and other identifiers.

Signature
function escapeIdent(name: string): string

Parameter

Type

Description

namestring

The identifier to escape.

string - Escaped identifier

import { escapeIdent } from 'surrealdb';

// Simple identifiers (no escaping needed)
console.log(escapeIdent('users')); // 'users'
console.log(escapeIdent('first_name')); // 'first_name'

// Special characters (wrapped in backticks)
console.log(escapeIdent('user-table')); // '`user-table`'
console.log(escapeIdent('my table')); // '`my table`'
console.log(escapeIdent('user.name')); // '`user.name`'

// Reserved keywords
console.log(escapeIdent('select')); // '`select`'
console.log(escapeIdent('from')); // '`from`'

Escape a number to be used as a valid SurrealQL ident.

Signature
function escapeNumber(num: number | bigint): string

Parameter

Type

Description

numnumber | bigint

The number to escape.

string - Escaped number representation

import { escapeNumber } from 'surrealdb';

console.log(escapeNumber(123));    // '123'
console.log(escapeNumber(42n));    // '42'

Escape a record ID value part. Handles Uuid, string, number, bigint, and object values.

Signature
function escapeIdPart(id: RecordIdValue): string

Parameter

Type

Description

idRecordIdValue

The record ID value part to escape.

string - Escaped record ID part

import { escapeIdPart } from 'surrealdb';

// String IDs
console.log(escapeIdPart('john'));        // 'john' or escaped equivalent

// Numeric IDs
console.log(escapeIdPart(123));           // '123'
console.log(escapeIdPart(42n));           // '42'

// UUID values
console.log(escapeIdPart(new Uuid('...')));

Escape a range bound value for use in SurrealQL range expressions.

Signature
function escapeRangeBound<T>(bound: Bound<T>): string

Parameter

Type

Description

boundBound<T>

The range bound to escape.

string - Escaped range bound representation

import { escapeIdent } from 'surrealdb';

async function selectFromTable(tableName: string) {
    // Validate and escape table name
    const safeTable = escapeIdent(tableName);
    
    // Use in query (still prefer Table class)
    const query = `SELECT * FROM ${safeTable}`;
    const [results] = await db.query(query).collect();
    
    return results;
}

await selectFromTable('user-sessions'); // Safe
import { escapeIdent } from 'surrealdb';

async function selectFields(table: string, fields: string[]) {
    const escapedFields = fields.map(escapeIdent).join(', ');
    const escapedTable = escapeIdent(table);
    
    const query = `SELECT ${escapedFields} FROM ${escapedTable}`;
    const [results] = await db.query(query).collect();
    
    return results;
}

await selectFields('users', ['first-name', 'last-name', 'email']);
// Prefer surql for safe parameterisation
const filters = { status: 'active', age: 18 };
const query = surql`
    SELECT * FROM users 
    WHERE status = ${filters.status} 
    AND age = ${filters.age}
`;
  • Constructing queries with user-provided table/field names

  • Working with identifiers that have special characters

  • Building dynamic schema definitions

  • Interfacing with external query builders

// Good: Type-safe
const table = new Table('users');
const users = await db.select(table);

// Avoid: Manual escaping
const escaped = escapeIdent('users');
const users = await db.query(`SELECT * FROM ${escaped}`).collect();
// Good: Validate first
function safeQuery(tableName: string) {
    if (!isValidTable(tableName)) {
        throw new Error('Invalid table name');
    }
    
    const escaped = escapeIdent(tableName);
    return `SELECT * FROM ${escaped}`;
}

// Avoid: Blind escaping
function unsafeQuery(tableName: string) {
    return `SELECT * FROM ${escapeIdent(tableName)}`;
}
// Good: Automatic parameterisation
const query = surql`SELECT * FROM users WHERE name = ${name}`;

// Avoid: Manual string construction
const query = `SELECT * FROM users WHERE name = '${name}'`;
Warning

Escaping functions are NOT a complete defense against SQL injection. Always prefer parameterised queries using surql or BoundQuery.

// Secure: Parameterised
const query = surql`SELECT * FROM users WHERE name = ${userInput}`;

// Insecure: No escaping
const query = `SELECT * FROM users WHERE name = '${userInput}'`;
  • surql - Recommended for parameterised queries

  • BoundQuery - Parameterised query class

  • Table - Type-safe table references

  • RecordId - Type-safe record identifiers

Was this page helpful?