chroma icon indicating copy to clipboard operation
chroma copied to clipboard

Published 20 hours ago verified publisher icon chroma-core

"Parser Error: syntax error at or near" when a string contains apostrophe

Open tezer opened this issue 2 years ago • 4 comments
trafficstars

When where_document contains a string with an apostrophe, I get Parser Error: syntax error at or near For example, for the string "company's", I get:

Parser Error: syntax error at or near "s"
LINE 1: ...M embeddings WHERE position('company's' in document) > 0 AND collection_uuid...

The problem is in duckdb.py at line 232:

        val = self._conn.execute(
            f"""SELECT {",".join(select_columns)} FROM embeddings {where}"""
        ).fetchall()

Apparently, the DB query contains an unescaped apostrophe which breaks it. I was trying to escape the apostrophe, but it didn't work.

tezer avatar Mar 30 '23 20:03 tezer

@tezer this should definitely be handled more elegantly.

as a workaround, i wonder if doing html encoding, eg %27 for ' would solve the issue?

jeffchuber avatar Mar 30 '23 20:03 jeffchuber

Yes, the problem is gone, but nothing is found. The same achieved by simply deleting the apostrophe: it fails to match the string during DB look up. The problem, I think, roots in how the where string is composed. It simply concatenated from the user input and SQL commands and then is passed to the query. It is also constituting a SQL injection vulnerability when a user can pass through a malicious command with their query. You should use SQL parameters for queries to avoid this.

tezer avatar Mar 30 '23 21:03 tezer

I agree, we should fix how this is handled. We will look into it - thanks for flagging.

HammadB avatar Mar 30 '23 21:03 HammadB

from Luke: "Known issue. Fix is on the roadmap (we are replacing DuckDB)"

swyxio avatar Apr 27 '23 00:04 swyxio

Completed with Chroma 0.4 - we dropped duckdb

jeffchuber avatar Jul 27 '23 18:07 jeffchuber