Problems with backslashes #248

jeremyevans opened this Issue May 1, 2011 · 2 comments


None yet

1 participant


What steps will reproduce the problem?

require 'rubygems'
require 'sequel'

DB ="postgres://username:password@localhost/database")

  • OR - DB = Sequel.sqlite "test.db"

class Test < Sequel::Model
set_schema do
primary_key :id
text :pattern

Test.create_table unless Test.table_exists?

Test.find_or_create(:pattern => '\d')
puts "Stored value: #{Test[1].pattern}"

What is the expected output? What do you see instead?

Using SQLite3: Stored value: \d
Using PgSQL: Stored value: d

What version of the product are you using? On what operating system?

Sequel 1.5.1 on OS X.4

Please provide any additional information below.

This started after upgrade from sequel 1.2

Google Code Info:
Issue #: 223
Created On: 2008-05-03T03:13:15.000Z
Closed On: 2008-05-06T21:34:38.000Z

@jeremyevans jeremyevans was assigned May 1, 2011
@jeremyevans jeremyevans closed this May 1, 2011

There is a difference in how the databases themselves work:

$ sqlite3
SQLite version 3.4.2
Enter ".help" for instructions
sqlite> SELECT '\d'
...> ;

Welcome to psql 8.2.4 (server 8.2.6), the PostgreSQL interactive terminal.

Type: \copyright for distribution terms
\h for help with SQL commands
\? for help with psql commands
\g or terminate with semicolon to execute query
\q to quit

music=# SELECT '\d';
WARNING: nonstandard use of escape in a string literal
LINE 1: SELECT '\d';
HINT: Use the escape string syntax for escapes, e.g., E'\r\n'.


(1 row)

However, as you can see, you should be getting \d from Sqlite3 and not \d. That's a
bug that should be fixed. Most adapters probably don't work correctly in this
regard, because this is the default string escaping in Sequel:

"'#{v.gsub(/\\/, "\\\\\\\\").gsub(/'/, "''")}'"

That's probably too broad. I think it should only be quoting ', it shouldn't be
modifying \ (unless it directly proceeds a ').

Before I make the change, I need to research the security implications of changing
the escaping.

PostgreSQL is not affected because the postgresql adapter uses the quote method
provided by the underlying driver.

Google Code Info:
Created On: 2008-05-03T04:39:17.000Z


Fixed for MySQL and SQLite:

This may still be broken for databases other than PostgreSQL, MySQL and SQLite.
Unfortunately, those are the only databases that I have access to. The default
string handling is very conservative, but changing it so that it conforms to the SQL
standard (just double quotes, no backslash modification) may cause security issues
depending on the database. Since I don't know enough about the other databases, I'm
not going to change the default at this time. I will accept patches to fix the other
adapters if they have problems.

Google Code Info:
Created On: 2008-05-06T21:34:38.000Z

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment