feat: Add ability to use SqlString.raw() within the SqlString.escapeId() method

Author: dovidgef

README.md

@@ -183,6 +183,10 @@ console.log(sql); // SELECT `username`, `email` FROM `users` WHERE id = 1
 ```
 **Please note that this last character sequence is experimental and syntax might change**
 
+To skip escaping one or more of the columns names that you pass to `SqlString.escapeId()`
+you may use `SqlString.raw()` similarly to how it is used with `SqlString.escape()`.
+See above for more details.
+
 When you pass an Object to `.escape()` or `.format()`, `.escapeId()` is used to avoid SQL injection in object keys.
 
 ### Formatting queries

lib/SqlString.js

@@ -20,12 +20,19 @@ SqlString.escapeId = function escapeId(val, forbidQualified) {
     var sql = '';
 
     for (var i = 0; i < val.length; i++) {
-      sql += (i === 0 ? '' : ', ') + SqlString.escapeId(val[i], forbidQualified);
+      sql += (i === 0 ? '' : ', ');
+      if (typeof val[i].toSqlString === 'function') {
+        sql += String(val[i].toSqlString());
+      } else {
+        sql += SqlString.escapeId(val[i], forbidQualified);
+      }
     }
 
     return sql;
   } else if (forbidQualified) {
     return '`' + String(val).replace(ID_GLOBAL_REGEXP, '``') + '`';
+  } else if (typeof val.toSqlString === 'function') {
+    return String(val.toSqlString());
   } else {
     return '`' + String(val).replace(ID_GLOBAL_REGEXP, '``').replace(QUAL_GLOBAL_REGEXP, '`.`') + '`';
   }

test/unit/test-SqlString.js

@@ -45,7 +45,15 @@ test('SqlString.escapeId', {
 
   'nested arrays are flattened': function() {
     assert.equal(SqlString.escapeId(['a', ['b', ['t.c']]]), '`a`, `b`, `t`.`c`');
-  }
+  },
+
+  'raw not escaped': function () {
+    assert.equal(SqlString.escapeId(SqlString.raw('*')), '*');
+  },
+
+  'raw within array not escaped': function () {
+    assert.equal(SqlString.escapeId(['firstColumnName', SqlString.raw('*'), 'secondColumnName']), '`firstColumnName`, *, `secondColumnName`');
+  },
 });
 
 test('SqlString.escape', {