Merge branch 'master' of github.com:coolaj86/node-masterquest-sqlite3

2016-03-26 17:03:26 -04:00 · 2016-03-26 17:03:26 -04:00 · edb2588095
parent ce430e63c0 2501c2fd4d
commit edb2588095
1 changed files with 20 additions and 2 deletions
--- a/lib/dbwrap.js
+++ b/lib/dbwrap.js
@ -13,7 +13,12 @@ function wrap(db, dir, dbsMap) {
  }

  db.escape = function (str) {
-    return (str||'').toString().replace(/'/g, "''");
+    // TODO? literals for true,false,null
+    // error on undefined?
+    if (undefined === str) {
+      str = '';
+    }
+    return String(str).replace(/'/g, "''");
  };

  function lowerFirst(str) {
@ -229,9 +234,21 @@ function wrap(db, dir, dbsMap) {
    };

    DB.find = function (obj, params) {
+      var err;
      var sql = 'SELECT * FROM \'' + tablename + '\' ';
      var keys = obj && Object.keys(obj);

+      if (obj) {
+        Object.keys(obj).forEach(function (key) {
+          if (undefined === obj[key]) {
+            err = new Error("'" + key + "' was `undefined'. For security purposes you must explicitly set the value to null or ''");
+          }
+        });
+      }
+      if (err) {
+        return PromiseA.reject(err);
+      }
+
      if (obj && keys.length) {
        sql += 'WHERE ';

@ -240,9 +257,10 @@ function wrap(db, dir, dbsMap) {
            sql += 'AND ';
          }
          if (null === obj[key]) {
-            sql += db.escape(snakeCase(key)) + " IS '" + db.escape(obj[key]) + "'";
+            sql += db.escape(snakeCase(key)) + " IS null";
          }
          else {
+            // TODO check that key is some type? ignore undefined?
            sql += db.escape(snakeCase(key)) + " = '" + db.escape(obj[key]) + "'";
          }
        });