brianc · Aug 4, 2017 · Aug 4, 2017 · Aug 7, 2017 · Aug 7, 2017 · Aug 8, 2017
Showing with 23 additions and 2 deletions.

+4 −0 README.md

+5 −0 SPONSORS.md

+2 −1 lib/result.js

+2 −1 package.json

+10 −0 test/integration/client/field-name-escape-tests.js
diff --git a/README.md b/README.md
@@ -48,6 +48,10 @@ You can also follow me [@briancarlson](https://twitter.com/briancarlson) if that
 
 I offer professional support for node-postgres.  I provide implementation, training, and many years of expertise on how to build applications with node, express, PostgreSQL, and react/redux.  Please contact me at [brian.m.carlson@gmail.com](mailto:brian.m.carlson@gmail.com) to discuss how I can help your company be more successful!
 
+### Sponsorship :star:
+
+If you are benefiting from node-postgres and would like to help keep the project financially sustainable please visit Brian Carlson's [Patreon page](https://www.patreon.com/node_postgres).
+
 ## Contributing
 
 __:heart: contributions!__

diff --git a/SPONSORS.md b/SPONSORS.md
@@ -1,3 +1,8 @@
+node-postgres is made possible by the helpful contributors from the community well as the following generous supporters on [Patreon](https://www.patreon.com/node_postgres).
+
 # Leaders
 
 # Supporters
+- John Fawcett
+- Lalit Kapoor [@lalitkapoor](https://twitter.com/lalitkapoor)
+- Paul Frazee [@pfrazee](https://twitter.com/pfrazee)
diff --git a/lib/result.js b/lib/result.js
@@ -8,6 +8,7 @@
  */
 
 var types = require('pg-types')
+var escape = require('js-string-escape')
 
 // result object returned from query
 // in the 'end' event and also
@@ -82,7 +83,7 @@ var inlineParser = function (fieldName, i) {
     // Addendum: However, we need to make sure to replace all
     // occurences of apostrophes, not just the first one.
     // See https://github.com/brianc/node-postgres/issues/934
-    fieldName.replace(/'/g, "\\'") +
+    escape(fieldName) +
     "'] = " +
     'rowData[' + i + '] == null ? null : parsers[' + i + '](rowData[' + i + ']);'
 }

diff --git a/package.json b/package.json
@@ -1,6 +1,6 @@
 {
   "name": "pg",
-  "version": "7.1.0",
+  "version": "7.1.1",
   "description": "PostgreSQL client - pure javascript & libpq with the same API",
   "keywords": [
     "postgres",
@@ -20,6 +20,7 @@
   "dependencies": {
     "buffer-writer": "1.0.1",
     "packet-reader": "0.3.1",
+    "js-string-escape": "1.0.1",
     "pg-connection-string": "0.1.3",
     "pg-pool": "2.*",
     "pg-types": "1.*",

diff --git a/test/integration/client/field-name-escape-tests.js b/test/integration/client/field-name-escape-tests.js
@@ -0,0 +1,10 @@
+var pg = require('./test-helper').pg
+
+var sql = 'SELECT 1 AS "\\\'/*", 2 AS "\\\'*/\n + process.exit(-1)] = null;\n//"'
+
+var client = new pg.Client()
+client.connect()
+client.query(sql, function (err, res) {
+  if (err) throw err
+  client.end()
+})