search

surrealdb / surrealdb.go

SurrealDB SDK for Golang
https://surrealdb.com
Apache License 2.0
231 stars 62 forks source link

Bug: Cannot use type::thing in queries as they arent escaped properly #89

Open phughk opened 1 year ago

phughk commented 1 year ago

Describe the bug

It seems that parameters might not be properly passed as parameters to the db or something weird is happening. Maybe the query is incorrect, but it seems right. We need a test for this though to be certain. The tests are to verify parameters and escaping works as expected. We need to consider "thing", "ident", "table", and perhaps several more that need to have formatting handled correctly.

Steps to reproduce

From discord:

res, err := h.DB.Query(`
    BEGIN TRANSACTION;
    LET $WAREHOUSE = (SELECT * FROM rand::uuid());
    CREATE type::thing("warehouse", $WAREHOUSE) CONTENT {
        name: $name,
        desc: $desc,
        logo: $logo,
        owner: $userID,
        isPhysical: $isPhysical,
        capacity: $capacity
    };
    UPDATE $userID SET owns += type::thing("warehouse", $WAREHOUSE);
    RELATE $userID->manages->type::thing("warehouse", $WAREHOUSE) 
    SET roles = ["owner"];
    COMMIT TRANSACTION;
    `, map[string]interface{}{
        "userID":     data.OwnerID,
        "name":       data.Name,
        "desc":       data.Desc,
        "logo":       data.Logo,
        "isPhysical": data.IsPhysical,
        "capacity":   data.Capacity,
    })

Results in

sending request failed for method 'query': There was a problem with the database: Parse error on line 13 at character 1 when parsing 'RELATE $userID->manages->type::thing("warehouse", $WAREHOUSE)

Workaround was 

RELATE user:⟨01899675-7c82-7ed2-8c4b-fb1b59556c1f⟩->manages->warehouse:⟨01899675-7c82-7ed2-8c4b-fb1b59556c1e⟩
    CONTENT {
        roles: ["owner"]
    };

Expected behaviour

The original query should have worked. Or the workaround shouldn't have worked.

SurrealDB version

1.0.0-beta.9+20230726.43794700 for macos on aarch64

Contact Details

hugh@surrealdb.com, < worldwidepaniel on discord >

Is there an existing issue for this?

Code of Conduct

JusticeN commented 1 year ago

Instead of Type::thing why not just using fmt.Sprintf(...) and generate the uuid in go, not in sql query

...
id := uuid.new()
tableId := fmt.Sprintf("warehouse:%v", id)
sql := fmt.Sprintf("CREATE %v {
...
})

...
// same with RELATE too

Or use txt/template if you fill confortable with

agufagit commented 1 year ago

i think you can just do 

LET $id = CREATE warehouse:uuid() CONTENT ... RETURN id