Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

String literals are not escaped (unless used as params) #54

Open
dawkot opened this issue Jun 9, 2020 · 5 comments
Open

String literals are not escaped (unless used as params) #54

dawkot opened this issue Jun 9, 2020 · 5 comments

Comments

@dawkot
Copy link

dawkot commented Jun 9, 2020

There's a difference in how Ormin treats special UTF-8 character codes in comparison to db_sqlite:

# db_sqlite inserts "ó"
db.exec sql"insert into product(name) values (?)", "ó"

# Ormin inserts "\xC3\xB3"
query:
  insert product(name="ó")
@dawkot dawkot closed this as completed Jun 10, 2020
@dawkot dawkot reopened this Jun 10, 2020
@dawkot
Copy link
Author

dawkot commented Jun 10, 2020

unit test:

import ormin, os, unittest
from db_sqlite import exec

# model.sql contains"create table product(name text)";
importModel sqlite, "model"

removeFile "data.db"
let db = open("data.db", user="", password="", database="")
db.exec readFile("model.sql").sql

test "Special UTF-8 codes are inserted and read correctly":
  query:
    insert product(name="ó")

  let name = query:
    select product(name)
    limit 1
  
  check name == "ó"

@huaxk
Copy link
Collaborator

huaxk commented Jun 10, 2020

The utf8 string literal in the sql is escaped, you should use param:

let s = "ó"
query:
  insert product(name = ?s)
let name = query:
  select product(name)
  limit 1
check name == s

@dawkot
Copy link
Author

dawkot commented Jun 10, 2020
edited
Loading

Thanks, you're right, but in this case I think it's a bug that you can even pass unquoted literals, so I'll leave this issue open.

@dawkot dawkot changed the title Special UTF-8 codes are garbled when inserted Unquoted string literals can be inserted into columns Jun 10, 2020
@huaxk
Copy link
Collaborator

huaxk commented Jun 11, 2020

"you can even pass unquoted literals", I don't quite understand, could you be more specific? or take an example.

@dawkot
Copy link
Author

dawkot commented Jun 11, 2020

I used the wrong term. It's just that there's no reason string literals shouldn't be properly escaped.

@dawkot dawkot changed the title Unquoted string literals can be inserted into columns String literals are not escaped (unless used as params) Jun 11, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@huaxk @dawkot