Escape Functions
Escape functions provide safe handling of identifiers and values in SurrealQL queries when you need to construct queries manually.
Prefer using surql or BoundQuery for automatic parameterization. Use escape functions only when absolutely necessary.
Import:
import {
escapeIdent,
escapeKey,
escapeRid,
escapeValue
} from 'surrealdb';
Source: utils/escape.ts
Functions
escapeIdent(name)
Escape table names, field names, and other identifiers.
Signature
function escapeIdent(name: string): string
Parameters
| Parameter | Type | Description |
|---|
name required | string | The identifier to escape. |
Returns
string - Escaped identifier
Examples
import { escapeIdent } from 'surrealdb';
console.log(escapeIdent('users'));
console.log(escapeIdent('first_name'));
console.log(escapeIdent('user-table'));
console.log(escapeIdent('my table'));
console.log(escapeIdent('user.name'));
console.log(escapeIdent('select'));
console.log(escapeIdent('from'));
escapeKey(key)
Escape object keys for use in queries.
Signature
function escapeKey(key: string): string
Returns
string - Escaped key
Example
const key = 'user-property';
console.log(escapeKey(key));
escapeRid(value)
Escape record ID components.
Signature
function escapeRid(value: string | number): string
Parameters
| Parameter | Type | Description |
|---|
value required | string | number | The record ID component to escape. |
Returns
string - Escaped record ID component
Examples
import { escapeRid } from 'surrealdb';
console.log(escapeRid('john'));
console.log(escapeRid(123));
console.log(escapeRid('user-123'));
console.log(escapeRid('user@email.com'));
escapeValue(value)
Escape values for use in queries.
Signature
function escapeValue(value: unknown): string
Parameters
| Parameter | Type | Description |
|---|
value required | unknown | The value to escape. |
Returns
string - Escaped value representation
Examples
import { escapeValue } from 'surrealdb';
console.log(escapeValue('hello'));
console.log(escapeValue("O'Reilly"));
console.log(escapeValue(42));
console.log(escapeValue(3.14));
console.log(escapeValue(true));
console.log(escapeValue(false));
console.log(escapeValue(null));
console.log(escapeValue(undefined));
Complete Examples
Dynamic Table Names
import { escapeIdent } from 'surrealdb';
async function selectFromTable(tableName: string) {
const safeTable = escapeIdent(tableName);
const query = `SELECT * FROM ${safeTable}`;
const [results] = await db.query(query).collect();
return results;
}
await selectFromTable('user-sessions');
Dynamic Field Selection
import { escapeIdent } from 'surrealdb';
async function selectFields(table: string, fields: string[]) {
const escapedFields = fields.map(escapeIdent).join(', ');
const escapedTable = escapeIdent(table);
const query = `SELECT ${escapedFields} FROM ${escapedTable}`;
const [results] = await db.query(query).collect();
return results;
}
await selectFields('users', ['first-name', 'last-name', 'email']);
Building Raw Queries (Not Recommended)
import { escapeIdent, escapeValue } from 'surrealdb';
function buildUnsafeQuery(table: string, filters: Record<string, unknown>) {
const escapedTable = escapeIdent(table);
const conditions = Object.entries(filters)
.map(([key, value]) => {
const field = escapeIdent(key);
const val = escapeValue(value);
return `${field} = ${val}`;
})
.join(' AND ');
return `SELECT * FROM ${escapedTable} WHERE ${conditions}`;
}
const filters = { status: 'active', age: 18 };
const query = surql`
SELECT * FROM users
WHERE status = ${filters.status}
AND age = ${filters.age}
`;
When to Use
✅ Use Escape Functions When:
- Constructing queries with user-provided table/field names
- Working with identifiers that have special characters
- Building dynamic schema definitions
- Interfacing with external query builders
❌ Prefer Other Solutions:
Best Practices
1. Prefer Type-Safe Alternatives
const table = new Table('users');
const users = await db.select(table);
const escaped = escapeIdent('users');
const users = await db.query(`SELECT * FROM ${escaped}`).collect();
2. Validate Before Escaping
function safeQuery(tableName: string) {
if (!isValidTable(tableName)) {
throw new Error('Invalid table name');
}
const escaped = escapeIdent(tableName);
return `SELECT * FROM ${escaped}`;
}
function unsafeQuery(tableName: string) {
return `SELECT * FROM ${escapeIdent(tableName)}`;
}
3. Use surql for Complex Queries
const query = surql`SELECT * FROM users WHERE name = ${name}`;
const query = `SELECT * FROM users WHERE name = ${escapeValue(name)}`;
Security Considerations
Escaping functions are NOT a complete defense against SQL injection. Always prefer parameterized queries using surql or BoundQuery.
const query = surql`SELECT * FROM users WHERE name = ${userInput}`;
const query = `SELECT * FROM users WHERE name = ${escapeValue(userInput)}`;
const query = `SELECT * FROM users WHERE name = '${userInput}'`;
See Also
- surql - Recommended for parameterized queries
- BoundQuery - Parameterized query class
- Table - Type-safe table references
- RecordId - Type-safe record identifiers
