From cfc937e661550635093d622a799bf3e521f80d0e Mon Sep 17 00:00:00 2001
From: Evan Morikawa <evan@evanmorikawa.com>
Date: Thu, 28 Jan 2016 16:27:51 -0800
Subject: [PATCH] fix(sql): fix single quote escaping in array queries

---
 src/flux/attributes/matcher.coffee | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/src/flux/attributes/matcher.coffee b/src/flux/attributes/matcher.coffee
index 2fe9f82d4..9c64c102a 100644
--- a/src/flux/attributes/matcher.coffee
+++ b/src/flux/attributes/matcher.coffee
@@ -85,13 +85,18 @@ class Matcher
         return false
 
   whereSQL: (klass) ->
+
+    # https://www.sqlite.org/faq.html#q14
+    # That's right. Two single quotes in a row…
+    singleQuoteEscapeSequence = "''"
+
     if @comparator is "like"
       val = "%#{@val}%"
     else
       val = @val
 
     if _.isString(val)
-      escaped = "'#{val.replace(/'/g, "''")}'"
+      escaped = "'#{val.replace(/'/g, singleQuoteEscapeSequence)}'"
     else if val is true
       escaped = 1
     else if val is false
@@ -100,7 +105,7 @@ class Matcher
       escapedVals = []
       for v in val
         throw new Error("#{@attr.jsonKey} value #{v} must be a string.") unless _.isString(v)
-        escapedVals.push("'#{v.replace(/'/g, '\\\'')}'")
+        escapedVals.push("'#{v.replace(/'/g, singleQuoteEscapeSequence)}'")
       escaped = "(#{escapedVals.join(',')})"
     else
       escaped = val