ormin icon indicating copy to clipboard operation
ormin copied to clipboard

Published 20 hours ago verified publisher icon Araq

String literals are not escaped (unless used as params)

Open dawkot opened this issue 5 years ago • 5 comments
trafficstars

There's a difference in how Ormin treats special UTF-8 character codes in comparison to db_sqlite:

# db_sqlite inserts "ó"
db.exec sql"insert into product(name) values (?)", "ó"

# Ormin inserts "\xC3\xB3"
query:
  insert product(name="ó")

dawkot avatar Jun 09 '20 17:06 dawkot

unit test:

import ormin, os, unittest
from db_sqlite import exec

# model.sql contains"create table product(name text)";
importModel sqlite, "model"

removeFile "data.db"
let db = open("data.db", user="", password="", database="")
db.exec readFile("model.sql").sql

test "Special UTF-8 codes are inserted and read correctly":
  query:
    insert product(name="ó")

  let name = query:
    select product(name)
    limit 1
  
  check name == "ó"

dawkot avatar Jun 10 '20 01:06 dawkot

The utf8 string literal in the sql is escaped, you should use param:

let s = "ó"
query:
  insert product(name = ?s)
let name = query:
  select product(name)
  limit 1
check name == s

huaxk avatar Jun 10 '20 03:06 huaxk

Thanks, you're right, but in this case I think it's a bug that you can even pass unquoted literals, so I'll leave this issue open.

dawkot avatar Jun 10 '20 21:06 dawkot

"you can even pass unquoted literals", I don't quite understand, could you be more specific? or take an example.

huaxk avatar Jun 11 '20 00:06 huaxk

I used the wrong term. It's just that there's no reason string literals shouldn't be properly escaped.

dawkot avatar Jun 11 '20 21:06 dawkot