Fix #737, proper escaping for identifiers

Conflicts: lib/dialects/oracle/formatter.js
Zenkit · Mar 13, 2015 · 77f2275 · 77f2275
1 parent 222ac82
commit 77f2275
Show file tree

Hide file tree

Showing 4 changed files with 26 additions and 2 deletions.
diff --git a/lib/dialects/postgres/formatter.js b/lib/dialects/postgres/formatter.js
@@ -25,7  25,7 @@ Formatter_PG.prototype.wrapValue = function(value) {
   if (value === '*') return value;
   var matched = value.match(/(.*?)(\[[0-9]\])/);
   if (matched) return this.wrapValue(matched[1])   matched[2];
-  return '"'   value   '"';
   return '"'   value.replace(/"/g, '""')   '"';
 };
 
 // Memoize the calls to "wrap" for a little extra perf.

diff --git a/lib/dialects/sqlite3/formatter.js b/lib/dialects/sqlite3/formatter.js
@@ -21,7  21,7 @@ Formatter_SQLite3.prototype.operators = [
 
 // Wraps a value (column, tableName) with the correct ticks.
 Formatter_SQLite3.prototype.wrapValue = function(value) {
-  return (value !== '*' ? '"'   value   '"' : '*');
   return (value !== '*' ? '"'   value.replace(/"/g, '""')   '"' : '*');
 };
 
 // Memoize the calls to "wrap" for a little extra perf.

diff --git a/test/integration/builder/selects.js b/test/integration/builder/selects.js
@@ -436,6  436,14 @@ module.exports = function(knex) {
       }
     });
 
     it('properly escapes identifiers, #737', function() {
       if (knex.client.dialect === 'postgresql') {
         var query = knex.select('id","name').from('test').toSQL();
         assert(query.sql === 'select "id"",""name" from "test"');
       }
     });
 
 
   });
 
 };
diff --git a/test/unit/query/builder.js b/test/unit/query/builder.js
@@ -749,6  749,22 @@ module.exports = function(pgclient, mysqlclient, sqlite3client) {
       expect(str).to.equal('select "e"."lastname", "e"."salary", (select "avg(salary)" from "employee" where dept_no = e.dept_no) as "avg_sal_dept" from "employee" as "e" where "dept_no" = \'e.dept_no\'');
     });
 
     it('escapes queries properly, #737', function() {
       testsql(qb()
         .select('id","name')
         .from('test'),
         {
           mysql: {
             sql: 'select `id","name` from `test`',
             bindings: []
           },
           default: {
             sql: 'select "id"",""name" from "test"',
             bindings: []
           }
         });
     });
 
   });
 
 };