surrealdb/surrealdb.go

Bug: Cannot use type::thing in queries as they arent escaped properly

phughk opened this issue · 2 comments

phughk commented

Describe the bug

It seems that parameters might not be properly passed as parameters to the db or something weird is happening. Maybe the query is incorrect, but it seems right. We need a test for this though to be certain. The tests are to verify parameters and escaping works as expected. We need to consider "thing", "ident", "table", and perhaps several more that need to have formatting handled correctly.

Steps to reproduce

From discord:

res, err := h.DB.Query(`
    BEGIN TRANSACTION;
    LET $WAREHOUSE = (SELECT * FROM rand::uuid());
    CREATE type::thing("warehouse", $WAREHOUSE) CONTENT {
        name: $name,
        desc: $desc,
        logo: $logo,
        owner: $userID,
        isPhysical: $isPhysical,
        capacity: $capacity
    };
    UPDATE $userID SET owns += type::thing("warehouse", $WAREHOUSE);
    RELATE $userID->manages->type::thing("warehouse", $WAREHOUSE) 
    SET roles = ["owner"];
    COMMIT TRANSACTION;
    `, map[string]interface{}{
        "userID":     data.OwnerID,
        "name":       data.Name,
        "desc":       data.Desc,
        "logo":       data.Logo,
        "isPhysical": data.IsPhysical,
        "capacity":   data.Capacity,
    })

Results in

sending request failed for method 'query': There was a problem with the database: Parse error on line 13 at character 1 when parsing 'RELATE $userID->manages->type::thing("warehouse", $WAREHOUSE)

Workaround was

RELATE user:⟨01899675-7c82-7ed2-8c4b-fb1b59556c1f⟩->manages->warehouse:⟨01899675-7c82-7ed2-8c4b-fb1b59556c1e⟩
    CONTENT {
        roles: ["owner"]
    };

Expected behaviour

The original query should have worked. Or the workaround shouldn't have worked.

SurrealDB version

1.0.0-beta.9+20230726.43794700 for macos on aarch64

Contact Details

hugh@surrealdb.com, < worldwidepaniel on discord >

Is there an existing issue for this?

  • I have searched the existing issues

Code of Conduct

  • I agree to follow this project's Code of Conduct
JusticeN commented

Instead of Type::thing why not just using fmt.Sprintf(...) and generate the uuid in go, not in sql query

...
id := uuid.new()
tableId := fmt.Sprintf("warehouse:%v", id)
sql := fmt.Sprintf("CREATE %v {
...
})

...
// same with RELATE too

Or use txt/template if you fill confortable with

agufagit commented

i think you can just do

LET $id = CREATE warehouse:uuid() CONTENT ... RETURN id