Column names not escaped properly

Nozbe / WatermelonDB

🍉 Reactive & asynchronous database for powerful React and React Native apps ⚡️

https://watermelondb.dev

MIT License

10.62k stars 600 forks source link

Column names not escaped properly #9

Closed sebastian-schlecht closed 6 years ago

sebastian-schlecht commented 6 years ago

When using SQL keywords as column names, the application dies on launch.

Example:

tableSchema({
      name: 'ticket_statuses',
      columns: [
        { name: 'name', type: 'string' },
        { name: 'order', type: 'string' },
      ]
    })

while order is a SQL keyword. Stacktrace shows Syntax error near "order"

radex commented 6 years ago

Ooh! That's not good.

The generated SQL should put double quotes around column names.

This should be an easy fix (the helpers here: https://github.com/Nozbe/WatermelonDB/tree/master/src/adapters/sqlite )

I'll try to write up a basic Contributing.md guide with the how to for running tests and whatnot tomorrow, and maybe you'd like to take a stab at fixing it?

sebastian-schlecht commented 6 years ago

Sure - just ping me here as soon as the guide is up and I'll give it a shot.

radex commented 6 years ago

@sebastian-schlecht OK, check out:

https://github.com/Nozbe/WatermelonDB/blob/master/CONTRIBUTING.md

And let me know if you run into any issues

sebastian-schlecht commented 6 years ago

@radex started working on this - changing encodeSchema seems to be insufficient. Shouldn't also insert, update and query operations escape column (& table) names in order to be safe?

https://www.sqlite.org/lang_keywords.html

Querybuilders like knex, use a similar pattern.

radex commented 6 years ago

Shouldn't also insert, update and query operations escape column (& table) names in order to be safe?

Yep, exactly!