SEA99
commented
1 year ago I prepared next commit (JSONEachRow support, it is needed for insert without field list parseable), but don't want to mix. Please, approve this.
Closed SEA99 closed 1 year ago
SEA99
commented
1 year ago I prepared next commit (JSONEachRow support, it is needed for insert without field list parseable), but don't want to mix. Please, approve this.
TimonKK
commented
1 year ago Big thanks for your PR!
muodov
commented
1 year ago @TimonKK Do I read this correctly that projects using a version before 2.6.0 are potentially vulnerable to a simple SQL injection because single quotes were not escaped?..
1) compare result of insertion in test in case of array of objects as data (failed before modifications) 2) lower case "insert" now possible in case of array of objects as data (issue 130) 3) mask apostrophe in case of array of objects as data (issue 124) 4) mask apostrophe (and others) in parameters in common way (function encodeValue instead of JSON.stringify) 5) test arrays as parameters 6) \n in "insert" sql text in case of array of objects as data 7) added test for insert select. In this case function _getBodyForInsert is called, that is not necessary, but that brakes nothing (test to be so in future).
There is switch on 'values' in sql ignoring cases of 'Some values' in strings, comments and so on. I prefer direct case of execution with extra parameters options, but it is more complex issue.