T-SQL Parser — SqlScriptDOM in the Browser

A client-side T-SQL parsing, formatting, and AST exploration tool built with Blazor WebAssembly and Microsoft's official SqlScriptDOM library. It runs entirely in your browser with zero server round-trips.

Live Demo

---

Features

• Full T-SQL Parsing: Uses Microsoft.SqlServer.TransactSql.ScriptDom 180.6.0 — the exact same parser used internally by SQL Server Management Studio (SSMS) and Azure Data Studio.
• Client-Side Execution: Compiled to WebAssembly via .NET 8 Blazor. The parser runs locally in your browser; no SQL code is ever sent to a server.
• AST Explorer: Interactive tree view of the Abstract Syntax Tree generated by SqlScriptDOM.
• Token Viewer: See the raw ScriptTokenStream with token types, offsets, and values.
• SQL Formatter: Round-trips parsed ASTs through Sql170ScriptGenerator to produce canonical, aligned T-SQL.
• Version Support: Selectable parsing modes from SQL Server 2000 (80) up to SQL Server 2025 (170).
• CodeMirror Editor: Full T-SQL syntax highlighting with the @codemirror/lang-sql MSSQL dialect.

---

Educational Snippets

The tool includes a library of built-in snippets designed to demonstrate how SqlScriptDOM interprets various T-SQL patterns:

Security & Auditing

• EXECUTE AS: Demonstrates ownership chaining and impersonation clauses.
• Row-Level Security: Parses CREATE SECURITY POLICY and predicate functions.
• DENY / REVOKE: Shows column-level denial and permission auditing queries.

SQL Injection Detection

These snippets show how classic injection attacks appear to the parser (typically as opaque StringLiteral nodes within dynamic SQL strings), and provide a 🛡 Safe Version diff view demonstrating the correct sp_executesql rewrite.

• Tautology: ' OR '1'='1 bypasses.
• UNION Exfiltration: Appending second result sets.
• Stacked DROP: Semicolon-separated statement injection.
• Comment Bypass: Swallowing trailing predicates with --.

Dynamic SQL Patterns

• Optional Filter: Safe parameterised search procedures.
• Schema Inspection: Validating identifiers with OBJECT_ID().
• Index Rebuild: Safe object bracketing using QUOTENAME().

Recursive GROUP BY

• Recursive CTEs: Hierarchical data walking with CommonTableExpression.
• Advanced Aggregation: GROUPING SETS, ROLLUP, and CUBE syntax trees.

---

Architecture

This project demonstrates the power of Blazor WebAssembly standalone deployment.

Because SqlScriptDOM is a pure .NET Standard library, it can be compiled to WebAssembly and executed by the Mono runtime in the browser. The entire application is hosted on GitHub Pages as static files (.wasm, .dll, .html, .js).

1. Initialization: The browser downloads the Mono WASM runtime and the Microsoft.SqlServer.TransactSql.ScriptDom.dll.
2. Parsing: When you click "Parse", the Blazor C# code invokes TSql170Parser.Parse().
3. Rendering: The resulting TSqlFragment AST is recursively traversed and rendered into the HTML DOM using Blazor components.

Local Development

Prerequisites:

• .NET 8 SDK
• Node.js / pnpm (for bundling CodeMirror)

# Clone the repository
git clone https://github.com/randommysticalperson/tsql-parser.git
cd tsql-parser

# Build the CodeMirror bundle (optional, already included in wwwroot/js)
# cd cm-bundle && pnpm install && node build.mjs

# Run the Blazor app locally
cd TsqlParser
dotnet watch run

License

This project is open-source. The Microsoft.SqlServer.TransactSql.ScriptDom library is licensed by Microsoft.