Skip to content
Permalink
Browse files Browse the repository at this point in the history
Fix string escaping for sqlite
SQLite was defaulting to the MySQL backslash-escaped style, but it uses
postgres-style escaping. This is a SQL-injection vulnerability, and
shouldn't be taken lightly (although SQLite is mostly for testing).
  • Loading branch information
Benjamin Woodruff committed Jun 15, 2013
1 parent 7dc35e3 commit c876192
Showing 1 changed file with 2 additions and 1 deletion.
3 changes: 2 additions & 1 deletion lib/sql-string.js
Expand Up @@ -37,8 +37,9 @@ SqlString.escape = function(val, stringifyObjects, timeZone, dialect) {
}
}

if (dialect == "postgres") {
if (dialect === "postgres" || dialect === "sqlite") {
// http://www.postgresql.org/docs/8.2/static/sql-syntax-lexical.html#SQL-SYNTAX-STRINGS
// http://stackoverflow.com/q/603572/130598
val = val.replace(/'/g, "''");
} else {
val = val.replace(/[\0\n\r\b\t\\\'\"\x1a]/g, function(s) {
Expand Down

0 comments on commit c876192

Please sign in to comment.