mistic100
commented
3 years ago How is it supposed to be escaped ?
Anyway it is always heavily advised to use prepared statements when using user inputs
Closed chstorb closed 3 years ago
mistic100
commented
3 years ago How is it supposed to be escaped ?
Anyway it is always heavily advised to use prepared statements when using user inputs
mistic100
commented
3 years ago for reference this is is the escaping function https://github.com/mistic100/jQuery-QueryBuilder/blob/dev/src/utils.js#L150-L170
chstorb
commented
3 years ago In SQL Server single quotes are escaped by doubling them up (see https://stackoverflow.com/questions/1586560/how-do-i-escape-a-single-quote-in-sql-server).
The Utils.escapeString method doesn't work for SQL Server.
mistic100
commented
3 years ago Okay, I guess it's the same thing for every dialect actually.
chstorb
commented
3 years ago Exactly.
QueryBuilder replaces an apostrophe in a string with a backslash(es) followed by an apostrophe.
This leads to a SQL execution error in a SQL Server query.
Instead, SQL Server requires a double apostrophe.
Steps to Reproduce:
1) Open the demo page https://querybuilder.js.org/demo.html and go to the last section "Import/Export". 2) Add a "contains" rule for a field "name" and enter the value "D'Artagnan". 3) Click the button "SQL". 4) Copy the resulting SQL condition
name LIKE ('% D \\' Artagnan% ')and use the condition in a sql statement like this:SELECT * FROM [Musketeers] WHERE [name] LIKE ('% D \\' Artagnan% ')5) Running this query on SQL Server results in the following error:
Execution failed due to an unexpected error: SQL Execution error: A fatal error occurred. Incorrect syntax was encountered while [Statement] LIKE ('% D \' Artagnan% ') was being parsed.