parser: disallow invalid infix for where clause in delete and `upd…

…ate` (#21113)
vlang · Mar 27, 2024 · f6a00fa · f6a00fa
1 parent 1e8d1a4
commit f6a00fa
Show file tree

Hide file tree

Showing 3 changed files with 44 additions and 0 deletions.
diff --git a/vlib/v/parser/orm.v b/vlib/v/parser/orm.v
@@ -295,11 +295,23 @@ fn (mut p Parser) parse_sql_stmt_line() ast.SqlStmtLine {
 	} else if kind == .update {
 		p.check_sql_keyword('where') or { return ast.SqlStmtLine{} }
 		where_expr = p.expr(0)
+
+		where_expr_result := p.check_sql_where_expr_has_no_undefined_variables(&where_expr,
+			[])
+		if where_expr_result is ast.NodeError {
+			return ast.SqlStmtLine{}
+		}
 	} else if kind == .delete {
 		table_pos = p.tok.pos()
 		table_type = p.parse_type()
 		p.check_sql_keyword('where') or { return ast.SqlStmtLine{} }
 		where_expr = p.expr(0)
+
+		where_expr_result := p.check_sql_where_expr_has_no_undefined_variables(&where_expr,
+			[])
+		if where_expr_result is ast.NodeError {
+			return ast.SqlStmtLine{}
+		}
 	}
 	return ast.SqlStmtLine{
 		table_expr: ast.TypeNode{

diff --git a/vlib/v/parser/tests/orm_delete_where_invalid_inifx_err.out b/vlib/v/parser/tests/orm_delete_where_invalid_inifx_err.out
@@ -0,0 +1,7 @@
+vlib/v/parser/tests/orm_delete_where_invalid_inifx_err.vv:23:49: error: undefined variable: `client_id`
+   21 |     }!
+   22 |     sql db {
+   23 |         delete from ParameterTable where client_id == client_id && name == name
+      |                                                       ~~~~~~~~~
+   24 |     } or { panic(err) }    
+   25 | }
diff --git a/vlib/v/parser/tests/orm_delete_where_invalid_inifx_err.vv b/vlib/v/parser/tests/orm_delete_where_invalid_inifx_err.vv
@@ -0,0 +1,25 @@
+import db.sqlite
+import rand
+import time
+
+@[table: 'parameter_tables']
+struct ParameterTable {
+	id          string = rand.ulid()    @[primary]
+	name  		string    @[unique: 'client_table']
+	description string
+	table_type  string = 'parameter'
+	client_id   string    @[unique: 'client_table']
+	created     time.Time @[default: 'CURRENT_TIMESTAMP'; sql_type: 'datetime']
+}
+
+fn main() {
+	mut db := sqlite.connect('test.db')!
+	db.synchronization_mode(sqlite.SyncMode.off)!
+	db.journal_mode(sqlite.JournalMode.memory)!	
+	sql db {
+		create table ParameterTable
+	}!
+	sql db {
+		delete from ParameterTable where client_id == client_id && name == name
+	} or { panic(err) }	
+}