Bug: Cannot use type::thing in queries as they arent escaped properly
phughk opened this issue · 2 comments
Describe the bug
It seems that parameters might not be properly passed as parameters to the db or something weird is happening. Maybe the query is incorrect, but it seems right. We need a test for this though to be certain. The tests are to verify parameters and escaping works as expected. We need to consider "thing", "ident", "table", and perhaps several more that need to have formatting handled correctly.
Steps to reproduce
From discord:
res, err := h.DB.Query(`
BEGIN TRANSACTION;
LET $WAREHOUSE = (SELECT * FROM rand::uuid());
CREATE type::thing("warehouse", $WAREHOUSE) CONTENT {
name: $name,
desc: $desc,
logo: $logo,
owner: $userID,
isPhysical: $isPhysical,
capacity: $capacity
};
UPDATE $userID SET owns += type::thing("warehouse", $WAREHOUSE);
RELATE $userID->manages->type::thing("warehouse", $WAREHOUSE)
SET roles = ["owner"];
COMMIT TRANSACTION;
`, map[string]interface{}{
"userID": data.OwnerID,
"name": data.Name,
"desc": data.Desc,
"logo": data.Logo,
"isPhysical": data.IsPhysical,
"capacity": data.Capacity,
})
Results in
sending request failed for method 'query': There was a problem with the database: Parse error on line 13 at character 1 when parsing 'RELATE $userID->manages->type::thing("warehouse", $WAREHOUSE)
Workaround was
RELATE user:⟨01899675-7c82-7ed2-8c4b-fb1b59556c1f⟩->manages->warehouse:⟨01899675-7c82-7ed2-8c4b-fb1b59556c1e⟩
CONTENT {
roles: ["owner"]
};
Expected behaviour
The original query should have worked. Or the workaround shouldn't have worked.
SurrealDB version
1.0.0-beta.9+20230726.43794700 for macos on aarch64
Contact Details
hugh@surrealdb.com, < worldwidepaniel on discord >
Is there an existing issue for this?
- I have searched the existing issues
Code of Conduct
- I agree to follow this project's Code of Conduct
Instead of Type::thing
why not just using fmt.Sprintf(...)
and generate the uuid in go, not in sql query
...
id := uuid.new()
tableId := fmt.Sprintf("warehouse:%v", id)
sql := fmt.Sprintf("CREATE %v {
...
})
...
// same with RELATE too
Or use txt/template
if you fill confortable with
i think you can just do
LET $id = CREATE warehouse:uuid() CONTENT ... RETURN id