Foundry376/Mailspring
1
1
Fork 0
mirror of https://github.com/Foundry376/Mailspring.git synced 2025-10-06 03:14:39 +08:00
Code Issues Projects Releases Packages Wiki Activity

fix(sql): fix single quote escaping in array queries

Browse source
This commit is contained in:
Evan Morikawa 2016-01-28 16:27:51 -08:00
parent 5eca866b43
commit 470a1723a9
1 changed files with 7 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

9
src/flux/attributes/matcher.coffee
View file

@ -85,13 +85,18 @@ class Matcher
return false return false
whereSQL: (klass) -> whereSQL: (klass) ->
# https://www.sqlite.org/faq.html#q14
# That's right. Two single quotes in a row…
singleQuoteEscapeSequence = "''"
if @comparator is "like" if @comparator is "like"
val = "%#{@val}%" val = "%#{@val}%"
else else
val = @val val = @val
if _.isString(val) if _.isString(val)
escaped = "'#{val.replace(/'/g, "''")}'" escaped = "'#{val.replace(/'/g, singleQuoteEscapeSequence)}'"
else if val is true else if val is true
escaped = 1 escaped = 1
else if val is false else if val is false
@ -100,7 +105,7 @@ class Matcher
escapedVals = [] escapedVals = []
for v in val for v in val
throw new Error("#{@attr.jsonKey} value #{v} must be a string.") unless _.isString(v) throw new Error("#{@attr.jsonKey} value #{v} must be a string.") unless _.isString(v)
escapedVals.push("'#{v.replace(/'/g, '\\\'')}'") escapedVals.push("'#{v.replace(/'/g, singleQuoteEscapeSequence)}'")
escaped = "(#{escapedVals.join(',')})" escaped = "(#{escapedVals.join(',')})"
else else
escaped = val escaped = val