quotes in strings are no longer escaped for mysql

Question

quotes in strings are no longer escaped for mysql

Closed this issue 10 years ago · 4 comments

This problem effects both select and create queries. If you have a string {description: 'This string "contains" quotes'} passed into mysql queries this will generate errors since moving to waterline sequel. The fix is pretty simple line 382 (or there abouts) of criteriaProcessor.js (CriteriaProcessor.prototype.process) should be:

if (typeof value === 'string') {value = '"' + utils.escapeQuotes(value) +'"';}

instead of

if (typeof value === 'string') {value = '"' + value +'"';}

Assuming you add a function like I did to utils which escapes the ":

utils.escapeQuotes = function(value) {
  if( _.isString(value) )
  {
    value = value.replace(/\"/g,'\\"');
  }
  return value; 
}

I am not familiar with this whole code branch - so this fix may not be sufficient -- it was for me.

Another issue that I noticed is that boolean values are now returned from queries as integer 1. eg: they used to be returned:
isNew : true
now
isNew : 1

I didn't really investigate that issue yet.

Answer 1 · 2014-08-21T22:56:18.000Z

Ok the strings should be fixed up now in 0.0.15. Would you make an issue on Waterline about the boolean normalization stuff? That moved into Waterline core and we must have left boolean casting out.

Answer 2 · 2014-08-22T04:38:11.000Z

My build just blew up today. Could this be related?

$ref=$["originalError"], rawStack=TypeError: Object #<Object> has no method 'escapeString'
    at CriteriaProcessor.process (/Users/foo/git/ETLaaS/node_modules/sails-mysql/node_modules/waterline-sequel/sequel/lib/criteriaProcessor.js:395:29)
    at CriteriaProcessor.and (/Users/foo/git/ETLaaS/node_modules/sails-mysql/node_modules/waterline-sequel/sequel/lib/criteriaProcessor.js:225:8)
    at CriteriaProcessor.expand (/Users/foo/git/ETLaaS/node_modules/sails-mysql/node_modules/waterline-sequel/sequel/lib/criteriaProcessor.js:138:12)
    at /Users/foo/git/ETLaaS/node_modules/sails-mysql/node_modules/waterline-sequel/sequel/lib/criteriaProcessor.js:79:12
    at Array.forEach (native)
    at CriteriaProcessor.read (/Users/foo/git/ETLaaS/node_modules/sails-mysql/node_modules/waterline-sequel/sequel/lib/criteriaProcessor.js:78:22)
    at WhereBuilder.single (/Users/foo/git/ETLaaS/node_modules/sails-mysql/node_modules/waterline-sequel/sequel/where.js:137:40)
    at simpleWhere (/Users/foo/git/ETLaaS/node_modules/sails-mysql/node_modules/waterline-sequel/sequel/index.js:234:16)
    at find (/Users/foo/git/ETLaaS/node_modules/sails-mysql/node_modules/waterline-sequel/sequel/index.js:76:22)
    at __FIND__ (/Users/foo/git/ETLaaS/node_modules/sails-mysql/lib/adapter.js:833:27), details=Details:  TypeError: Object #<Object> has no method 'escapeString'

Answer 3 · 2014-08-22T14:30:58.000Z

Whoops sorry. Should be fixed now. I pushed out 0.0.16.

Answer 4 · 2014-08-22T23:54:07.000Z

Thanks. I did send a PR for that - not sure whether it's needed anymore.