8000 Remove object key-value-pair escape behavior · mysqljs/sqlstring@0f7cdaf · GitHub
[go: up one dir, main page]
Skip to content

Commit 0f7cdaf

Browse files
dougwilsondougwilson
committed
Remove object key-value-pair escape behavior
1 parent 5aa85a7 commit 0f7cdaf

File tree

4 files changed

+26
-73
lines changed

4 files changed

+26
-73
lines changed

HISTORY.md

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1,3 +1,8 @@
1+
unreleased
2+
==========
3+
4+
* Remove object key-value-pair escape behavior
5+
16
2.3.3 / 2022-03-06
27
==================
38

README.md

Lines changed: 7 additions & 17 deletions
Original file line numberDiff line numberDiff line change
@@ -75,24 +75,14 @@ Different value types are escaped differently, here is how:
7575
'b'], ['c', 'd']]` turns into `('a', 'b'), ('c', 'd')`
7676
* Objects that have a `toSqlString` method will have `.toSqlString()` called
7777
and the returned value is used as the raw SQL.
78-
* Objects are turned into `key = 'val'` pairs for each enumerable property on
79-
the object. If the property's value is a function, it is skipped; if the
80-
property's value is an object, toString() is called on it and the returned
81-
value is used.
8278
* `undefined` / `null` are converted to `NULL`
8379
* `NaN` / `Infinity` are left as-is. MySQL does not support these, and trying
8480
to insert them as values will trigger MySQL errors until they implement
8581
support.
82+
* All other values types are converted to a string using the global `String()`
83+
and the resulting value is escaped.
8684

87-
You may have noticed that this escaping allows you to do neat things like this:
88-
89-
```js
90-
var post = {id: 1, title: 'Hello MySQL'};
91-
var sql = SqlString.format('INSERT INTO posts SET ?', post);
92-
console.log(sql); // INSERT INTO posts SET `id` = 1, `title` = 'Hello MySQL'
93-
```
94-
95-
And the `toSqlString` method allows you to form complex queries with functions:
85+
The `toSqlString` method allows you to form complex queries with functions:
9686

9787
```js
9888
var CURRENT_TIMESTAMP = { toSqlString: function() { return 'CURRENT_TIMESTAMP()'; } };
@@ -176,17 +166,17 @@ console.log(sql); // SELECT * FROM `users` WHERE `id` = 1
176166

177167
Following this you then have a valid, escaped query that you can then send to the database safely.
178168
This is useful if you are looking to prepare the query before actually sending it to the database.
179-
You also have the option (but are not required) to pass in `stringifyObject` and `timeZone`,
180-
allowing you provide a custom means of turning objects into strings, as well as a
169+
You also have the option (but are not required) to pass in `timeZone`, allowing you provide a
181170
location-specific/timezone-aware `Date`.
182171

183172
This can be further combined with the `SqlString.raw()` helper to generate SQL
184173
that includes MySQL functions as dynamic vales:
185174

186175
```js
187176
var userId = 1;
188-
var data = { email: 'foobar@example.com', modified: SqlString.raw('NOW()') };
189-
var sql = SqlString.format('UPDATE ?? SET ? WHERE `id` = ?', ['users', data, userId]);
177+
var email = 'foobar@example.com';
178+
var sql = SqlString.format('UPDATE ?? SET `email` = ?, `modified` = ? WHERE `id` = ?',
179+
['users', email, SqlString.raw('NOW()'), userId]);
190180
console.log(sql); // UPDATE `users` SET `email` = 'foobar@example.com', `modified` = NOW() WHERE `id` = 1
191181
```
192182

lib/SqlString.js

Lines changed: 4 additions & 22 deletions
Original file line numberDiff line numberDiff line change
@@ -31,14 +31,14 @@ SqlString.escapeId = function escapeId(val, forbidQualified) {
3131
}
3232
};
3333

34-
SqlString.escape = function escape(val, stringifyObjects, timeZone) {
34+
SqlString.escape = function escape(val, timeZone) {
3535
if (val === undefined || val === null) {
3636
return 'NULL';
3737
}
3838

3939
switch (typeof val) {
4040
case 'boolean': return (val) ? 'true' : 'false';
41-
case 'number': return val + '';
41+
case 'number': return String(val);
4242
case 'object':
4343
if (Object.prototype.toString.call(val) === '[object Date]' F438 ) {
4444
return SqlString.dateToString(val, timeZone || 'local');
@@ -48,12 +48,10 @@ SqlString.escape = function escape(val, stringifyObjects, timeZone) {
4848
return SqlString.bufferToString(val);
4949
} else if (typeof val.toSqlString === 'function') {
5050
return String(val.toSqlString());
51-
} else if (stringifyObjects) {
52-
return escapeString(val.toString());
5351
} else {
54-
return SqlString.objectToValues(val, timeZone);
52+
return escapeString(String(val));
5553
}
56-
default: return escapeString(val);
54+
default: return escapeString(String(val));
5755
}
5856
};
5957

@@ -167,22 +165,6 @@ SqlString.bufferToString = function bufferToString(buffer) {
167165
return 'X' + escapeString(buffer.toString('hex'));
168166
};
169167

170-
SqlString.objectToValues = function objectToValues(object, timeZone) {
171-
var sql = '';
172-
173-
for (var key in object) {
174-
var val = object[key];
175-
176-
if (typeof val === 'function') {
177-
continue;
178-
}
179-
180-
sql += (sql.length === 0 ? '' : ', ') + SqlString.escapeId(key) + ' = ' + SqlString.escape(val, true, timeZone);
181-
}
182-
183-
return sql;
184-
};
185-
186168
SqlString.raw = function raw(sql) {
187169
if (typeof sql !== 'string') {
188170
throw new TypeError('argument sql must be a string');

test/unit/test-SqlString.js

Lines changed: 10 additions & 34 deletions
Original file line numberDiff line numberDiff line change
@@ -71,16 +71,9 @@ test('SqlString.escape', {
7171
assert.equal(SqlString.escape(SqlString.raw('NOW()')), 'NOW()');
7272
},
7373

74-
'objects are turned into key value pairs': function() {
75-
assert.equal(SqlString.escape({a: 'b', c: 'd'}), "`a` = 'b', `c` = 'd'");
76-
},
77-
78-
'objects function properties are ignored': function() {
79-
assert.equal(SqlString.escape({a: 'b', c: function() {}}), "`a` = 'b'");
80-
},
81-
82-
'object values toSqlString is called': function() {
83-
assert.equal(SqlString.escape({id: { toSqlString: function() { return 'LAST_INSERT_ID()'; } }}), '`id` = LAST_INSERT_ID()');
74+
'objects are turned into string value': function() {
75+
assert.equal(SqlString.escape({ 'hello': 'world' }), "'[object Object]'");
76+
assert.equal(SqlString.escape({ toString: function () { return 'hello'; } }), "'hello'");
8477
},
8578

8679
'objects toSqlString is called': function() {
@@ -91,18 +84,6 @@ test('SqlString.escape', {
9184
assert.equal(SqlString.escape({ toSqlString: function() { return 'CURRENT_TIMESTAMP()'; } }), 'CURRENT_TIMESTAMP()');
9285
},
9386

94-
'nested objects are cast to strings': function() {
95-
assert.equal(SqlString.escape({a: {nested: true}}), "`a` = '[object Object]'");
96-
},
97-
98-
'nested objects use toString': function() {
99-
assert.equal(SqlString.escape({a: { toString: function() { return 'foo'; } }}), "`a` = 'foo'");
100-
},
101-
102-
'nested objects use toString is quoted': function() {
103-
assert.equal(SqlString.escape({a: { toString: function() { return "f'oo"; } }}), "`a` = 'f\\'oo'");
104-
},
105-
10687
'arrays are turned into lists': function() {
10788
assert.equal(SqlString.escape([1, 2, 'c']), "1, 2, 'c'");
10889
},
@@ -179,39 +160,39 @@ test('SqlString.escape', {
179160
'dates are converted to specified time zone "Z"': function() {
180161
var expected = '2012-05-07 11:42:03.002';
181162
var date = new Date(Date.UTC(2012, 4, 7, 11, 42, 3, 2));
182-
var string = SqlString.escape(date, false, 'Z');
163+
var string = SqlString.escape(date, 'Z');
183164

184165
assert.strictEqual(string, "'" + expected + "'");
185166
},
186167

187168
'dates are converted to specified time zone "+01"': function() {
188169
var expected = '2012-05-07 12:42:03.002';
189170
var date = new Date(Date.UTC(2012, 4, 7, 11, 42, 3, 2));
190-
var string = SqlString.escape(date, false, '+01');
171+
var string = SqlString.escape(date, '+01');
191172

192173
assert.strictEqual(string, "'" + expected + "'");
193174
},
194175

195176
'dates are converted to specified time zone "+0200"': function() {
196177
var expected = '2012-05-07 13:42:03.002';
197178
var date = new Date(Date.UTC(2012, 4, 7, 11, 42, 3, 2));
198-
var string = SqlString.escape(date, false, '+0200');
179+
var string = SqlString.escape(date, '+0200');
199180

200181
assert.strictEqual(string, "'" + expected + "'");
201182
},
202183

203184
'dates are converted to specified time zone "-05:00"': function() {
204185
var expected = '2012-05-07 06:42:03.002';
205186
var date = new Date(Date.UTC(2012, 4, 7, 11, 42, 3, 2));
206-
var string = SqlString.escape(date, false, '-05:00');
187+
var string = SqlString.escape(date, '-05:00');
207188

208189
assert.strictEqual(string, "'" + expected + "'");
209190
},
210191

211192
'dates are converted to UTC for unknown time zone': function() {
212193
var date = new Date(Date.UTC(2012, 4, 7, 11, 42, 3, 2));
213-
var expected = SqlString.escape(date, false, 'Z');
214-
var string = SqlString.escape(date, false, 'foo');
194+
var expected = SqlString.escape(date, 'Z');
195+
var string = SqlString.escape(date, 'foo');
215196

216197
assert.strictEqual(string, expected);
217198
},
@@ -291,13 +272,8 @@ test('SqlString.format', {
291272
assert.equal(sql, '?');
292273
},
293274

294-
'objects is converted to values': function () {
275+
'objects is converted to string value': function () {
295276
var sql = SqlString.format('?', { 'hello': 'world' }, false);
296-
assert.equal(sql, "`hello` = 'world'");
297-
},
298-
299-
'objects is not converted to values': function () {
300-
var sql = SqlString.format('?', { 'hello': 'world' }, true);
301277
assert.equal(sql, "'[object Object]'");
302278

303279
var sql = SqlString.format('?', { toString: function () { return 'hello'; } }, true);

0 commit comments

Comments
 (0)
0