sanitize_param() not correctly resolving when using nested columns

[vidski]

Describe the bug When filtering for a nested column, sanitize_param is adding unneccessary " "

To Reproduce supabase.table('character_inventory').select('character(*), slot, item(*, template(*))').eq('character.user_id', user_id).execute()

resolves to: /rest/v1/character_inventory?select=character(*),+slot,+item(*,+template(*))&"character.user_id"=eq.2731f9cc-17f4-42a2-839a-d25dfe8d90a8 returns HTTP 400

Expected behavior Should resolve to: /rest/v1/character_inventory?select=character(*),+slot,+item(*,+template(*))&character.user_id=eq.2731f9cc-17f4-42a2-839a-d25dfe8d90a8 returns HTTP 200

Screenshots

Desktop:

• OS: Windows 11
• Version: latest

[vidski]

[vidski]

Is there a reason to sanitize the column at all? In the postgrest-js client all we do is remove whitespaces.

[anand2312]

Is there a reason to sanitize the column at all? In the postgrest-js client all we do is remove whitespaces.

Column names can contain postgrest special characters which need to be escaped. The js client errors out because of this; see supabase/postgrest-js#262

Are you sure you are on the latest version though? The code in that screenshot doesn't look like it is from the latest version Can you make sure you are using supabase-py 0.5.5 (postgrest-py 0.10.1 or greater)?

[vidski]

I'm fine with escaping ',:()', but escaping '.' results in a wrong behaviour which makes it impossible to filter on foreign columns.

eq('table_a.table_b.id', my_id) will currently resolve to "table_a.table_b.id", but should resolve to "table_a"."table_b"."id". Maybe we should first split the column by '.', escape each item, and join using '.'.

This is using supabase-py 0.5.5 and postgrest-py 0.10.2

[vidski]

Example

[anand2312]

Yeah I get what you mean 👍🏼 this'll be fixed in the next release. Thanks for the report!