-
-
Notifications
You must be signed in to change notification settings - Fork 4.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
sequelize.fn does not escape multiple dollar signs in string #14601
Comments
This is fixed in V7 alpha, as we removed the need to escape bind parameters in strings altogether. A fix to the code that handles escaping of bind parameters in |
I'm not entirely sure that I understand what this means. Say I leave a If you run the test with
As you can see, the I might be misunderstanding what you mean entirely, sorry if that's the case. I cannot for the life of me find where escaping of |
Still definitely interested in fixing this if someone can point me in a vague direction. |
Here is all the context I can give: State of things in v6The source of the problem is that Sequelize provides an abstraction layer for query parameters. Each dialect has its own syntax so Sequelize transforms SQL variables that look like this Thing is, Sequelize's regex in v6 is dumb and replaces anything that looks like await sequelize.query(`SELECT * FROM table WHERE col = '$abc'`); Results in the following (in mysql), even though it is not actually a query parameter: SELECT * FROM table WHERE col = '?' To workaround that problem, prior maintainers decided to consider it to be escaped if another await sequelize.query(`SELECT * FROM table WHERE col = '$$abc'`); became this: SELECT * FROM table WHERE col = '$abc' All queries are passed to User.findAll({
where: { name: fn('upper', '$abc') };
}); Would eventually lead to await sequelize.query(`SELECT * FROM users WHERE name = UPPER('$abc')`); Which would produce this SQL: SELECT * FROM table WHERE col = '?' -- bad! So PR #11606 worked around that issue by auto-escaping That is the part that needs to be improved to resolve your issue. State of things in v7The above is only relevant to Sequelize 6, because in Sequelize 7, we fixed the issue at its source: Bind parameters are only translated to their dialect-specific syntax if they are in a position where bind parameters are allowed to be used. This means the following is not modified: SELECT * FROM table WHERE col = '$abc' But this is: SELECT * FROM table WHERE col = $abc
-- becomes
SELECT * FROM table WHERE col = ?
The fix we made in v7 would resolve your issue, but we cannot bring it to v6 because users have written queries like the following: await sequelize.query(`SELECT * FROM table WHERE col = '$$abc'`); and expect it to be interpreted as SELECT * FROM table WHERE col = '$abc' but in v7, it is interpreted as SELECT * FROM table WHERE col = '$$abc' which is a breaking change. That does not mean you cannot improve the auto-escape mechanism present in v6, #11606 is a good place to find out where relevant elements are located |
@ephys Cool, I really appreciate the context-dump! I'll see if I can spend some time on this in the next couple weeks. |
This issue has been automatically marked as stale because it has been open for 14 days without activity. It will be closed if no further activity occurs within the next 14 days. If this is still an issue, just leave a comment or remove the "stale" label. 🙂 |
This issue has been automatically marked as stale because it has been open for 14 days without activity. It will be closed if no further activity occurs within the next 14 days. If this is still an issue, just leave a comment or remove the "stale" label. 🙂 |
This was released, I think we can close the issue now :) |
Issue Creation Checklist
Bug Description
If a string is being passed to
sequelize.fn
for input into a SQL function, and it contains two space-separated dollar signs,sequelize
will throw an error likeError: Named bind parameter "$420" has no value in the given object.
.SSCCE
claytoneast/sequelize-sscce@fc762d1
What do you expect to happen?
The last Foo example should create with no problems. sequelize should escape all
$
going intosequelize.fn
, not just the first instance of$
.Additional context
nope.
Environment
Would you be willing to resolve this issue by submitting a Pull Request?
The text was updated successfully, but these errors were encountered: