Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
Browse files

better "falsy" values management

* falsy-but-not-Numbers-and-not-null values are converted to blank Strings
* added a "SQL injection prevention" unit test
* version bumped to 0.7.1
  • Loading branch information...
commit 7ade249b4cc6d4bf5051f3aaeec66f258b31c2b5 1 parent 87d955e
@DrBenton authored
View
2  README.md
@@ -82,6 +82,8 @@ var select = dbWrapper.getSelect()
.where( 'enabled=1' )
.where( 'id=?', 10 )
.where( 'last_name LIKE ?', '%Foo%' )
+ .where( 'removal_date=?', null ) // null -> NULL
+ .where( 'nickname=?', undefined ) // other falsy-but-not-Numbers values -> empty String
.order( 'last_name' )
.limit( 10 );
View
2  lib/adapters/adapter--mysql-libmysqlclient.js
@@ -241,6 +241,8 @@ Adapter.prototype.escape = function( value )
return "'" + this._dbClient.escapeSync( value ) + "'";
else if( value===null )
return 'NULL';
+ else if( isNaN(value) && ! value )
+ return "''";//falsy-but-not-null-and-not-Numbers values are converted to empty Strings
else
return value;
};
View
2  lib/adapters/adapter--mysql.js
@@ -261,6 +261,8 @@ Adapter.prototype.escape = function( value )
return this._dbClient.escape( value );
else if( value===null )
return 'NULL';
+ else if( isNaN(value) && ! value )
+ return "''";//falsy-but-not-null-and-not-Numbers values are converted to empty Strings
else
return value;
};
View
2  lib/adapters/adapter--pg.js
@@ -232,6 +232,8 @@ Adapter.prototype.escape = function( value )
return "'" + value.replace(/'/g, "''") + "'";
else if( value===null )
return 'NULL';
+ else if( isNaN(value) && ! value )
+ return "''";//falsy-but-not-null-and-not-Numbers values are converted to empty Strings
else
return value;
};
View
2  lib/adapters/adapter--sqlite3.js
@@ -196,6 +196,8 @@ Adapter.prototype.escape = function( value )
return "'" + value.replace(/'/g, "''") + "'";
else if( value===null )
return 'NULL';
+ else if( isNaN(value) && ! value )
+ return "''";//falsy-but-not-null-and-not-Numbers values are converted to empty Strings
else
return value;
};
View
4 package.json
@@ -1,14 +1,14 @@
{
"name": "node-dbi",
"description": "A Database abstraction layer for Node.js, bundled with several DB engines adapters",
- "version": "0.7.0",
+ "version": "0.7.1",
"homepage": "https://github.com/DrBenton/Node-DBI",
"repository": {
"type": "git",
"url": "git://github.com/DrBenton/Node-DBI.git"
},
"authors": [
- "Dr. Benton (http://github.com/DrBenton)",
+ "Olivier Philippon (http://github.com/DrBenton)",
"Michael Dwyer (http://github.com/kalifg)",
"David Schoen <dave@lyte.id.au>",
"Fabian Bornhofen (http://fabianbornhofen.blogspot.com)"
View
33 test/db-select.js
@@ -133,24 +133,39 @@ var adapterTestSuite = function( adapterName )
expect(select.assemble()).to.equal(expectedSql);
});
- it('should properly handle "0" params', function() {
- //@see https://github.com/DrBenton/Node-DBI/issues/19
+ it('should prevent SQL injection', function() {
+ //@see https://github.com/DrBenton/Node-DBI/issues/20
select = dbWrapper.getSelect()
.from('user')
- .where('zero=?', 0)
- .where('one=?', 1);
-
- expectedSql = 'SELECT '+user+'.* FROM '+user+' WHERE (zero=0) AND (one=1)';
+ .where('id=?', '\' OR (SELECT * FROM user WHERE admin=1)');
+
+ var escapedQuote;
+ switch (adapterName) {
+ case 'mysql-libmysqlclient':
+ case 'mysql':
+ escapedQuote = '\\\'';
+ break;
+ case 'sqlite3':
+ case 'pg':
+ escapedQuote = '\'\'';
+ break;
+ }
+ expectedSql = 'SELECT '+user+'.* FROM '+user+' WHERE (id=\''+escapedQuote+' OR (SELECT * FROM user WHERE admin=1)\')';
expect(select.assemble()).to.equal(expectedSql);
});
- it('should properly handle "null" params (converted to NULL)', function() {
+ it('should properly handle "falsy" params', function() {
+ //@see https://github.com/DrBenton/Node-DBI/issues/19
select = dbWrapper.getSelect()
.from('user')
- .where('name=?', null);
+ .where('blank=?', '')
+ .where('zero=?', 0)
+ .where('undefined=?', undefined)
+ .where('null=?', null)
+ .where('NaN=?', NaN);
- expectedSql = 'SELECT '+user+'.* FROM '+user+' WHERE (name=NULL)';
+ expectedSql = 'SELECT '+user+'.* FROM '+user+' WHERE (blank=\'\') AND (zero=0) AND (undefined=\'\') AND (null=NULL) AND (NaN=\'\')';
expect(select.assemble()).to.equal(expectedSql);
});
Please sign in to comment.
Something went wrong with that request. Please try again.