-
Notifications
You must be signed in to change notification settings - Fork 2.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Escape a value. knex.raw improvements and joins #160
Comments
For now you can grab the escape function straight from inside the lib: https://github.com/tgriesser/knex/blob/ef0d96ff5a8f3b459996e6981b2d06ad7b28fef7/lib/sqlstring.js What's the real-world use case for writing a raw statement that uses untrusted variables? |
Example:
|
So this is undocumented, but take a look at the set of variables accepted by https://github.com/tgriesser/knex/blob/06c38bcc2d8b50054bc7c9d844bf4359288cdc98/lib/builder.js#L182 Ideally you should never have to think about escaping queries because you shouldn't need to put untrusted variables inside |
The whole escaping things fine and dandy; but theres still the issue with raw joins and that fact that bindings in { sql: 'select `articles`.* from `articles` inner join `articlesMeta` on `articles`.`id` = `articlesMeta`.`articleId` and `articlesMeta`.`key` = \'?\' and `articlesMeta`.`integer` = ? where (`articles`.`private` = ? and `articles`.`disabled` = ?)',
bindings: [ false, false ],
__cid: '__cid8' } As you can see there are missing bindings for code generated by: @join 'articlesMeta', ->
@on 'articles.id', '=', 'articlesMeta.articleId'
@on 'articlesMeta.key', '=', A.knex.raw "'?'", ['c']
@on 'articlesMeta.integer', '=', A.knex.raw "?", [1] The real world usecase for writing untrusted vars in raw SQL is mostly because Knex isn't flexible enough. I just wouldn't have to do any of this if joins weren't restricted to taking As it stands I can't really progress with my code without resorting to using the escape function you mentioned in the first comment. |
Handling bindings with raw on joins is a bug. We'll take a look at that. In the mean time, if you really want to use escape, it would be really easy to attach that to your instance from within the library. |
Thanks. Glad it's a bug :) |
Not so much a bug as an unusual case with no tests. PRs are always appreciated, but even if you feel like you can't make the fix it would be cool if you could submit a failing test. |
Yeah I would but this damn node-gyp for sqlite3 is erroring when I try the test and Oh and I have to mention again; At the moment we get a |
Not to toot my own horn, but if you don't mind running a virtual machine through Vagrant, this PR might help you out. Trying to configure MySQL/PostgreSQL/SQLite and their native Node client libraries is a headache. |
It sure is a headache. Thanks @benesch, might give your PR a go, but someone who knows knex needs to fix this, as having fiddled, it seems it would take me too long until I understand knex's internal structure. |
Finally, proper escaping/bindings everywhere with raw queries is now a thing in knex 0.6. |
How can I combine knex.raw with .join? I want to do a
and I get this error:
|
As per #65 - Is there any way to escape a value, like so?
I know that
has been mentioned, but it doesn't work.
An escape function would be great. It would also be nice to write
.join( knex.raw(string) )
,.join( function() { this.on( knex.raw(string) } )
etc.As I'd like to use
AND FIND_IN_SET(articlesMeta.integer, '1,2')
In a join ONTo give you an idea of the query I'm aiming to build;
The above query simply selects articles that have the articlesMeta.key "c" (category), with a value of 1 or 2, additionally with an articlesMeta.key matching 'wee'
Correct me if I'm doin it wrong :)
The text was updated successfully, but these errors were encountered: