Version: v0.7.0 - Beta.  We welcome contributors & feedback.



TypeStrings are THT's approach to preventing injection attacks.

What Are Injection Attacks?

Injection attacks are the #1 security vulnerability on the web.

This occurs when an attacker sends input containing meta-characters (e.g. quotes) that trick the app into executing something different from what was intended.

For example, here is a SQL query to check a login attempt:

// Login query
select * from users
where user = 'admin'
and password = 'knockknock'

An attacker could enter a malicious password that contains a quote, followed by some SQL code, like this:

// ✕ Malicious Input
knockknock' or 1='1

Here is what the query looks like with the new password. It allows the attacker to log in as any user in the system, because the query will always be true.

// ✕ Injection!
select * from users
where user = 'admin'
and password = 'knockknock' or 1='1'

Attack Targets

Any subsystem is vulnerable to attack if it accepts strings that use meta-characters to embed data.

The most common targets are:

How TypeStrings Work 

To prevent injection attacks, THT introduces TypeStrings.

A TypeString is a string template object that knows how to safely handle data that is inserted into it.

Each TypeString has a prefix that defines what type it is.

Data is inserted via placeholders {}.

$query = sql'select * from table where userId = {}'
         ^^^                                    ^^
         type                               placeholder


Placeholders (also known as parameterized queries) are an industry best practice for securing SQL queries by ensuring that all inserted data is safely escaped.

However, TypeStrings expand this tactic to cover all types of sensitive strings, like URLs, system commands, and HTML.

Why It Works

TypeStrings are effective against injection attacks because:

  1. TypeStrings are literal constants hardcoded into your source files. This means you can trust them to be 100% benign. (Assuming you trust yourself!)
  2. High-risk modules only accept TypeStrings as input.
  3. TypeStrings automatically escape placeholders safely for their type.

Altogether, it removes human error from the equation, leading to more consistent protection with less effort.

How to Use TypeStrings 

Just prepend the type to any literal string to mark it as a TypeString.

This tells THT to keep it separate from all other dynamic strings, which often come from outside (untrusted) sources.


$query = sql'select * from users'

Supported types:

Prefix Description Example
sql SQL query sql'select * from posts'
html HTML markup html'<b>user123</b>'
url URL url'/posts?sort=desc'
cmd System command cmd'ls -l /some/path'
js JavaScript code js'var id = 123;'
css CSS code css'body { color: #333 }'

Filling Placeholder Values 

You can attach dynamic values to a TypeString via the fill method.

These will be inserted into placeholders (e.g. {}), which will be safely escaped by the TypeString class.

$query = sql'select * from users where userId = {}'


// The Db module only accepts TypeStrings
$row = Db.selectRow($query)

Combining TypeStrings 

Embedded TypeStrings

If you insert a TypeString into another TypeString of the same type, it will be inserted verbatim.

$name = html'<b>Admin</b>'

html'Posted by: {}'.fill($name)

//= 'Posted by: <b>Admin</b>'

Appending TypeStrings

You can join two TypeStrings together using the stringy ~ operator.

Placeholder values must be filled separately before they are merged.

$query = sql'select title from posts where postDate > {}'

$monthAgo = Date.create('30 days ago')

// Append a dynamic 'limit' value
$rowsPerPage = 20
$query ~= sql' limit {}'.fill($rowsPerPage)


Most TypeStrings have corresponding Template Functions that make it easy to create blocks of content that are safely and parsed and escaped.

// Returns an HTML TypeString

tm headerHtml($userName) {

        Welcome back, {{ $userName }}!


See the TypeString class for a full list of methods.