search

mysqljs / sqlstring

Simple SQL escape and format for MySQL
MIT License
403 stars 78 forks source link

Unexpected results when using WHERE together with ? and null #32

Closed afanasy closed 6 years ago

afanasy commented 6 years ago

Using WHERE + ? + null may lead to unexpected results

var sql = SqlString.format('DELETE FROM posts WHERE ?', {id: null});
console.log(sql); //DELETE FROM posts WHERE `id` = NULL
//will do nothing (unexpected), need to use IS NULL instead
var sql = SqlString.format('DELETE FROM posts WHERE ?', {id: 1});
console.log(sql); //DELETE FROM posts WHERE `id` = 1
//will do (expected)

I know it's not exactly this package problem, because the query is still correct, but it may be worth mentioning this in the docs.

dougwilson commented 6 years ago

It's already in the docs:

Objects are turned into key = 'val' pairs for each enumerable property on the object. If the property's value is a function, it is skipped; if the property's value is an object, toString() is called on it and the returned value is used.

We never show doing WHERE ? anywhere, either.