bind value to avoid possibility of sql injection

vapor · Feb 23, 2019 · 703ccb0 · 703ccb0
1 parent f68e3d5
commit 703ccb0
Showing 1 changed file with 3 additions and 4 deletions.
diff --git a/Sources/FluentSQL/SQL+QuerySupporting.swift b/Sources/FluentSQL/SQL+QuerySupporting.swift
@@ -158,8 +158,8 @@ extension QuerySupporting where
     QueryKey.Expression == QueryKey.Expression.Function.Argument.Expression
 {
     /// See `QuerySupporting`.
-    public static func queryAggregate<D>(_ name: QueryAggregate, _ fields: [QueryKey], default: D) -> QueryKey
-        where D: Decodable
+    public static func queryAggregate<C>(_ name: QueryAggregate, _ fields: [QueryKey], default: C) -> QueryKey
+        where C: Codable
     {
         let args: [QueryKey.Expression.Function.Argument] = fields.compactMap { expr in
             if expr.isAll {
@@ -170,8 +170,7 @@ extension QuerySupporting where
                 return nil
             }
         }
-
-        return .expression(.coalesce(.function(.function(name, args)), .literal(.numeric(String(describing: `default`)))), alias: .identifier("fluentAggregate"))
+        return .expression(.coalesce(.function(.function(name, args)), .bind(.encodable(`default`))), alias: .identifier("fluentAggregate"))
     }
 
     /// See `QuerySupporting`.