fix(sql): fix single quote escaping in array queries

2025-01-22 16:09:14 +08:00 · 2016-01-28 16:27:51 -08:00 · 2016-01-28 16:27:51 -08:00 · cfc937e661
commit cfc937e661
parent c83a6899ac
1 changed files with 7 additions and 2 deletions
--- a/src/flux/attributes/matcher.coffee
+++ b/src/flux/attributes/matcher.coffee
@ -85,13 +85,18 @@ class Matcher
        return false

  whereSQL: (klass) ->
+
+    # https://www.sqlite.org/faq.html#q14
+    # That's right. Two single quotes in a row…
+    singleQuoteEscapeSequence = "''"
+
    if @comparator is "like"
      val = "%#{@val}%"
    else
      val = @val

    if _.isString(val)
-      escaped = "'#{val.replace(/'/g, "''")}'"
+      escaped = "'#{val.replace(/'/g, singleQuoteEscapeSequence)}'"
    else if val is true
      escaped = 1
    else if val is false
@ -100,7 +105,7 @@ class Matcher
      escapedVals = []
      for v in val
        throw new Error("#{@attr.jsonKey} value #{v} must be a string.") unless _.isString(v)
-        escapedVals.push("'#{v.replace(/'/g, '\\\'')}'")
+        escapedVals.push("'#{v.replace(/'/g, singleQuoteEscapeSequence)}'")
      escaped = "(#{escapedVals.join(',')})"
    else
      escaped = val