From 8647faa5a9208f17a31bf2161cdd9413c4c9021c Mon Sep 17 00:00:00 2001
From: AJ ONeal <coolaj86@gmail.com>
Date: Tue, 22 Mar 2016 21:22:58 +0000
Subject: [PATCH 1/4] fix finding null values

---
 lib/dbwrap.js | 14 +++++++++++---
 1 file changed, 11 insertions(+), 3 deletions(-)

diff --git a/lib/dbwrap.js b/lib/dbwrap.js
index cc67861..3e09731 100644
--- a/lib/dbwrap.js
+++ b/lib/dbwrap.js
@@ -13,7 +13,12 @@ function wrap(db, dir, dbsMap) {
   }
 
   db.escape = function (str) {
-    return (str||'').toString().replace(/'/g, "''");
+    // TODO? literals for true,false,null
+    // error on undefined?
+    if (undefined === str) {
+      str = '';
+    }
+    return String(str).replace(/'/g, "''");
   };
 
   function lowerFirst(str) {
@@ -233,10 +238,13 @@ function wrap(db, dir, dbsMap) {
             sql += 'AND ';
           }
           if (null === obj[key]) {
-            sql += db.escape(snakeCase(key)) + " IS '" + db.escape(obj[key]) + "'";
+            sql += db.escape(snakeCase(key)) + " IS null";
           }
           else {
-            sql += db.escape(snakeCase(key)) + " = '" + db.escape(obj[key]) + "'";
+            // TODO check that key is some type? ignore undefined?
+            if (undefined === obj[key]) {
+              sql += db.escape(snakeCase(key)) + " = '" + db.escape(obj[key]) + "'";
+            }
           }
         });
       }

From cb39b6282ef63f7a7167de553b60ae54d2e8e0ec Mon Sep 17 00:00:00 2001
From: AJ ONeal <coolaj86@gmail.com>
Date: Tue, 22 Mar 2016 21:43:13 +0000
Subject: [PATCH 2/4] fix for null

---
 lib/dbwrap.js | 17 ++++++++++++-----
 1 file changed, 12 insertions(+), 5 deletions(-)

diff --git a/lib/dbwrap.js b/lib/dbwrap.js
index 3e09731..39c8364 100644
--- a/lib/dbwrap.js
+++ b/lib/dbwrap.js
@@ -226,7 +226,16 @@ function wrap(db, dir, dbsMap) {
       });
     };
 
-    DB.find = function (obj, params) {
+    DB.find = function (obj1, params) {
+      //var obj = obj1;
+      var obj = {};
+      if (obj1) {
+        Object.keys(obj1).forEach(function (key) {
+          if (undefined !== obj1[key]) {
+            obj[key] = obj1[key];
+          }
+        });
+      }
       var sql = 'SELECT * FROM \'' + tablename + '\' ';
       var keys = obj && Object.keys(obj);
 
@@ -242,13 +251,11 @@ function wrap(db, dir, dbsMap) {
           }
           else {
             // TODO check that key is some type? ignore undefined?
-            if (undefined === obj[key]) {
-              sql += db.escape(snakeCase(key)) + " = '" + db.escape(obj[key]) + "'";
-            }
+            sql += db.escape(snakeCase(key)) + " = '" + db.escape(obj[key]) + "'";
           }
         });
       }
-      else if (null !== obj || (params && !params.limit)) {
+      else if (null !== obj1 || (params && !params.limit)) {
         return PromiseA.reject(new Error("to find all you must explicitly specify find(null, { limit: <<int>> })"));
       }
 

From 422be49b1abf231cba004200cabdc947440320de Mon Sep 17 00:00:00 2001
From: AJ ONeal <coolaj86@gmail.com>
Date: Wed, 23 Mar 2016 03:37:20 +0000
Subject: [PATCH 3/4] disallow accidental undefined as a find value

---
 lib/dbwrap.js | 18 +++++++++---------
 1 file changed, 9 insertions(+), 9 deletions(-)

diff --git a/lib/dbwrap.js b/lib/dbwrap.js
index 39c8364..c480e01 100644
--- a/lib/dbwrap.js
+++ b/lib/dbwrap.js
@@ -226,15 +226,15 @@ function wrap(db, dir, dbsMap) {
       });
     };
 
-    DB.find = function (obj1, params) {
-      //var obj = obj1;
-      var obj = {};
-      if (obj1) {
-        Object.keys(obj1).forEach(function (key) {
-          if (undefined !== obj1[key]) {
-            obj[key] = obj1[key];
-          }
-        });
+    DB.find = function (obj, params) {
+      var err;
+      Object.keys(obj).forEach(function (key) {
+        if (undefined === obj[key]) {
+          err = new Error("'" + key + "' was `undefined'. For security purposes you must explicitly set the value to null or ''");
+        }
+      });
+      if (err) {
+        return PromiseA.reject(err);
       }
       var sql = 'SELECT * FROM \'' + tablename + '\' ';
       var keys = obj && Object.keys(obj);

From 2501c2fd4d7a7269240e6d676b79b17a91329863 Mon Sep 17 00:00:00 2001
From: AJ ONeal <coolaj86@gmail.com>
Date: Wed, 23 Mar 2016 03:38:59 +0000
Subject: [PATCH 4/4] fix syntax bug

---
 lib/dbwrap.js | 19 +++++++++++--------
 1 file changed, 11 insertions(+), 8 deletions(-)

diff --git a/lib/dbwrap.js b/lib/dbwrap.js
index c480e01..f7d2887 100644
--- a/lib/dbwrap.js
+++ b/lib/dbwrap.js
@@ -228,16 +228,19 @@ function wrap(db, dir, dbsMap) {
 
     DB.find = function (obj, params) {
       var err;
-      Object.keys(obj).forEach(function (key) {
-        if (undefined === obj[key]) {
-          err = new Error("'" + key + "' was `undefined'. For security purposes you must explicitly set the value to null or ''");
-        }
-      });
+      var sql = 'SELECT * FROM \'' + tablename + '\' ';
+      var keys = obj && Object.keys(obj);
+
+      if (obj) {
+        Object.keys(obj).forEach(function (key) {
+          if (undefined === obj[key]) {
+            err = new Error("'" + key + "' was `undefined'. For security purposes you must explicitly set the value to null or ''");
+          }
+        });
+      }
       if (err) {
         return PromiseA.reject(err);
       }
-      var sql = 'SELECT * FROM \'' + tablename + '\' ';
-      var keys = obj && Object.keys(obj);
 
       if (obj && keys.length) {
         sql += 'WHERE ';
@@ -255,7 +258,7 @@ function wrap(db, dir, dbsMap) {
           }
         });
       }
-      else if (null !== obj1 || (params && !params.limit)) {
+      else if (null !== obj || (params && !params.limit)) {
         return PromiseA.reject(new Error("to find all you must explicitly specify find(null, { limit: <<int>> })"));
       }