From da4fc06e2d32499c62be2b99460ac52e8cc1257e Mon Sep 17 00:00:00 2001 From: Kevin Jose Martin Date: Fri, 26 Aug 2016 20:45:26 -0400 Subject: [PATCH 1/4] Add support for `toSQL(dialect)` escaping. --- lib/SqlString.js | 2 ++ 1 file changed, 2 insertions(+) diff --git a/lib/SqlString.js b/lib/SqlString.js index af7deb7..b60f39b 100644 --- a/lib/SqlString.js +++ b/lib/SqlString.js @@ -45,6 +45,8 @@ SqlString.escape = function escape(val, stringifyObjects, timeZone) { return SqlString.arrayToList(val, timeZone); } else if (Buffer.isBuffer(val)) { return SqlString.bufferToString(val); + } else if (typeof val.toSQL === 'function') { + return val.toSQL('mysql'); } else if (stringifyObjects) { val = val.toString(); } else { From 39dedef4033e112d87c0285a315b3a42dfa45982 Mon Sep 17 00:00:00 2001 From: Kevin Jose Martin Date: Fri, 26 Aug 2016 21:03:05 -0400 Subject: [PATCH 2/4] Add unit tests for `toSQL()` escaping --- test/unit/test-SqlString.js | 39 +++++++++++++++++++++++++++++++++++++ 1 file changed, 39 insertions(+) diff --git a/test/unit/test-SqlString.js b/test/unit/test-SqlString.js index 37f600b..b2576e9 100644 --- a/test/unit/test-SqlString.js +++ b/test/unit/test-SqlString.js @@ -188,6 +188,45 @@ test('SqlString.escape', { assert.strictEqual(string, "X'00\\' OR \\'1\\'=\\'1'"); }, + 'native objects with toSQL() properties are escaped': function() { + var expected = 'some bad sql syntax'; + var input = { + toSQL: function() { + return expected; + } + }; + + var string = SqlString.escape(input); + + assert.strictEqual(string, expected); + }, + + 'class objects with toSQL() methods are escaped': function() { + var expected = 'more bad sql syntax'; + + function SomeClass() {} + + SomeClass.prototype.toSQL = function() { + return expected; + }; + + var input = new SomeClass(); + var string = SqlString.escape(input); + + assert.strictEqual(string, expected); + }, + + 'objects with toSQL() methods are passed "mysql" as first parameter': function() { + function WithDialect() { + this.toSQL = function(dialect) { + assert.strictEqual(string, 'mysql'); + } + } + + var input = new WithDialect(); + var string = SqlString.escape(input); + }, + 'NaN -> NaN': function() { assert.equal(SqlString.escape(NaN), 'NaN'); }, From bb30e8127ba36eeaf86f687d3f36ffb3403ca391 Mon Sep 17 00:00:00 2001 From: Kevin Jose Martin Date: Fri, 26 Aug 2016 21:37:54 -0400 Subject: [PATCH 3/4] Fix typo in test... :( --- test/unit/test-SqlString.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/test/unit/test-SqlString.js b/test/unit/test-SqlString.js index b2576e9..27c916d 100644 --- a/test/unit/test-SqlString.js +++ b/test/unit/test-SqlString.js @@ -219,7 +219,7 @@ test('SqlString.escape', { 'objects with toSQL() methods are passed "mysql" as first parameter': function() { function WithDialect() { this.toSQL = function(dialect) { - assert.strictEqual(string, 'mysql'); + assert.strictEqual(dialect, 'mysql'); } } From 04889b84eeca08580aa338d0e4493ba4bcaecbeb Mon Sep 17 00:00:00 2001 From: Kevin Jose Martin Date: Fri, 26 Aug 2016 21:44:24 -0400 Subject: [PATCH 4/4] Add missing semi-colon on test https://cdn.meme.am/instances/64495271.jpg --- test/unit/test-SqlString.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/test/unit/test-SqlString.js b/test/unit/test-SqlString.js index 27c916d..4b9c9d0 100644 --- a/test/unit/test-SqlString.js +++ b/test/unit/test-SqlString.js @@ -220,7 +220,7 @@ test('SqlString.escape', { function WithDialect() { this.toSQL = function(dialect) { assert.strictEqual(dialect, 'mysql'); - } + }; } var input = new WithDialect();