String literals are not escaped (unless used as params)

Araq / ormin

Ormin -- An ORM for Nim.

MIT License

152 stars 18 forks source link

String literals are not escaped (unless used as params) #54

Open dawkot opened 4 years ago

dawkot commented 4 years ago

There's a difference in how Ormin treats special UTF-8 character codes in comparison to db_sqlite:

# db_sqlite inserts "ó"
db.exec sql"insert into product(name) values (?)", "ó"

# Ormin inserts "\xC3\xB3"
query:
  insert product(name="ó")

dawkot commented 4 years ago

unit test:

import ormin, os, unittest
from db_sqlite import exec

# model.sql contains"create table product(name text)";
importModel sqlite, "model"

removeFile "data.db"
let db = open("data.db", user="", password="", database="")
db.exec readFile("model.sql").sql

test "Special UTF-8 codes are inserted and read correctly":
  query:
    insert product(name="ó")

  let name = query:
    select product(name)
    limit 1

  check name == "ó"

huaxk commented 4 years ago

The utf8 string literal in the sql is escaped, you should use param:

let s = "ó"
query:
  insert product(name = ?s)
let name = query:
  select product(name)
  limit 1
check name == s

dawkot commented 4 years ago

Thanks, you're right, but in this case I think it's a bug that you can even pass unquoted literals, so I'll leave this issue open.

huaxk commented 4 years ago

"you can even pass unquoted literals", I don't quite understand, could you be more specific? or take an example.

dawkot commented 4 years ago

I used the wrong term. It's just that there's no reason string literals shouldn't be properly escaped.