search

mysqljs / sqlstring

Simple SQL escape and format for MySQL
MIT License
403 stars 78 forks source link

single quote bad escape #68

Closed pbrink231 closed 1 year ago

pbrink231 commented 1 year ago

I am using postgres.

This is a heavily simplified example and not sure if this runs. But the issue is demonstrated here. The issue can be seen in col3value escaping of the single quote inside the string

I am using it like:

const col1value = 5
const col2value = 'hello world'
const col3value = "You'll find the world"

const escaped1value = escape(col1value)
const escaped2value = escape(col2value)
const escaped3value = escape(col3value)

 const query = `WITH temp_table ("col1","col2","col3") AS (
      VALUES (${escaped1value}::integer,${escaped2value}::text,${escaped3value}::text)
    )
select * from temp_table`

this becomes

WITH temp_table ("col1","col2","col3") AS (
      VALUES (5::integer,'hello world::text,'You\'ll find the world'::text)
    )
select * from temp_table

What it should become

WITH temp_table ("col1","col2","col3") AS (
      VALUES (5::integer,'hello world::text,'You''ll find the world'::text)
    )
select * from temp_table

I put in a function for replacement but essentially it does the below const escaped3value = escape(col3value).replace(/\\'/g, "''");

But I am wondering if there should be an option added to escape that we can change the escaping of single quotes from \' to ''?

dougwilson commented 1 year ago

Hello, and sorry for any confusion. This module is only for use with MySQL dialect, not with Postgres.