SQL Formatter Without Uploading
Keep Your Schema Private
What popular SQL formatters do with your query, how to verify a tool is truly client-side, and what you're actually leaking when you paste SQL online.
SQL formatter without uploading: the only safe way to format queries containing real table and column names is a tool that processes everything in your browser — because every SQL query you write is a partial blueprint of your database schema, and any tool that receives it on a server now has that blueprint too.
What Most SQL Formatters Do
The majority of popular SQL formatting tools work like this:
- You paste your query into a textarea
- You click "Format"
- A POST request fires to their API endpoint with your full query as the request body
- Their server parses and reformats the query
- The formatted result is returned and displayed
This is the path of least resistance for tool builders — it's easier to run a formatting library server-side than to bundle it into a browser page. But it means your query, with all its table and column names, is now on their server.
What Your SQL Query Reveals
SELECT
u.email, u.plan_tier, u.stripe_customer_id,
o.total_cents, o.status, o.created_at,
p.name AS product_name
FROM users u
JOIN orders o ON u.id = o.user_id
JOIN products p ON o.product_id = p.id
WHERE o.status = 'pending'
AND u.plan_tier = 'enterprise'That query — which you might paste just to clean up indentation — tells an observer:
users table with email, plan_tier and stripe_customer_id columns
orders and products tables with their exact column names
total_cents)
user_id, product_id
This is the schema intelligence that an attacker conducting reconnaissance would pay for. And you gave it away just to fix indentation.
Tool Comparison
| Feature | Most online formatters | ResourceCentral SQL | Local CLI tool |
|---|---|---|---|
| Query processed client-side | ✗ | ✓ | ✓ |
| No query sent to server | ✗ | ✓ | ✓ |
| Works offline | ✗ | ✓ | ✓ |
| MySQL / PostgreSQL / T-SQL / SQLite | varies | ✓ | varies |
| Keyword casing options | varies | ✓ | varies |
| Indentation control | varies | ✓ | varies |
| No install required | ✓ | ✓ | ✗ |
| Verifiable via DevTools | ✗ | ✓ | ✓ |
How to Verify Any Tool Is Truly Client-Side
Before trusting any SQL formatter with a production query:
Format SQL Without a Tool at All
For quick one-off formatting, you can use the sql-formatter package locally:
# Install once
npm install -g sql-formatter
# Format from stdin
echo "SELECT u.id,u.email FROM users u WHERE u.active=1" | sql-formatter --language postgresql
# Format a file
sql-formatter --language mysql < query.sqlOr in a Node.js script with no CLI install:
import { format } from 'sql-formatter';
const result = format(`SELECT u.id,u.email FROM users u WHERE u.active=1`, {
language: 'postgresql',
tabWidth: 2,
keywordCase: 'upper',
});
console.log(result);What to Do With Queries You've Already Pasted
If you've already used a server-side formatter with production queries, the information is likely in their logs. There's no way to undo this, but you can limit future exposure:
- Switch to a client-side formatter for anything involving real table or column names
- Use placeholder names when testing formatting (rename tables to
t1,t2) - If your queries contain literal values like emails or IDs, redact them before formatting — the log format is already correct even with placeholders
Format SQL in Your Browser — No Upload
MySQL, PostgreSQL, T-SQL, SQLite and Oracle. Keyword casing, indentation control. Verify in DevTools: zero POST requests.
Open SQL Formatter →