Closed MatthewAry closed 11 months ago
This doesn't work either
customerUser1 = await db.query(`
INSERT INTO userAccount {
firstName: $firstName,
lastName: $lastName,
email: $email,
organization: <record<organization>> $organization
};
`, {
firstName: 'Customer',
lastName: 'User1',
email: 'test1@test.com',
organization: customerOrganization[0].id
})
Error: There was a problem with the database: Found '<record<organization>> organization:66x760hhwmdrmndb89cm' for field `organization`, with record `userAccount:lys6kcc0esibihqdeiwh`, but expected a record<organization>
To add to the above comment, this nicely showcases that the passed values are not being computed there
Didn't try it, but maybe type::thing can help to work around this. Something like this:
customerUser1 = await db.query(`
INSERT INTO userAccount {
firstName: $firstName,
lastName: $lastName,
email: $email,
organization: type::thing('organization',$organization)
};
`, {
firstName: 'Customer',
lastName: 'User1',
email: 'test1@test.com',
organization: customerOrganization[0].id
})
@sebastianwessel If I recall correctly, it was tried. See this thread on discord. I'm not really sure what the problem here is. Shouldn't the resolved variables be interpolated into the query string? I think there's something different happening here.
@rushmorem this seems to also be an issue in the WASM library. Consider the following example:
const db = new Surreal();
await db.connect('memory');
await db.use({ ns: 'test', db: 'test' });
await Promise.all([
db.query("type::is::record($test)", { test: 'a:1' }).then(r => r[0]),
db.query("type::is::string($test)", { test: 'a:1' }).then(r => r[0]),
db.query("type::is::record(type::thing($test))", { test: 'a:1' }).then(r => r[0]),
db.query("type::is::record(<record> $test)", { test: 'a:1' }).catch(e => e)
]);
// Results in:
[false, true, false, "Expected a record but cannot convert 'a:1' into a record"]
This works fine in a normal SQL repl however:
test/test> type::is::record(type::thing('a:1'))
[
true
]
Do you have any ideas?
Thanks @kearfy. I will take a look. I think we can fix this from the query layer.
In the meantime, the only way to make this work is to interpolate the string directly into a query. I made a regex to hopefully prevent injection attacks, but really my hope is that we can get this fixed and that the SDK will prevent injection attacks on the data or bindings we pass in. No promises that this Regex gives full protection.
/**
* SurrealDB Record ID Validation Regex
*
* This regex pattern is designed to validate the different ID formats used in SurrealDB's SurrealQL language.
*
* Supported Formats:
* 1. Text Record IDs: Combinations of letters, numbers, and underscores. Example: `company:acusa`
* 2. Complex character IDs: Surrounded by backticks ` or by the characters ⟨ and ⟩. Example: `article:⟨uuid-format⟩`
* 3. Numeric Record IDs: 64-bit integers. Example: `temperature:1234567890`
* 4. Built-in ID generation functions: Such as `rand()`, `ulid()`, and `uuid()`.
*
* Note: Deeply nested objects and arrays are not supported by this regex.
* It is advisable to use a parser for handling deeply nested structures.
*
* @example
* const recordID = "company:acusa";
* const isValid = regexPattern.test(recordID);
*/
const regexPattern = /^([\w:]+|`[\w:-]+`|⟨[\w:-]+⟩|\d+|{[^}]+}|\[.*\]|(rand|ulid|uuid)\(\))$/;
It's possible that this also affects other types like datetime fields. I think I started seeing errors with that in my tests yesterday.
When I attempt to make a record link:
It doesn't work because it treats the ID as a string and not an actual record. This might be resolved by using
string::split
combined withtype::thing
but we shouldn't have to do that.Because this is using the rust driver under the hood, its probably not handling the type in a way that works well for JS based platforms.