-
-
Notifications
You must be signed in to change notification settings - Fork 4.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Replacements don't work properly when using $$ to tell the start and end of function #15301
Comments
I'm surprised As for
That's the thing, We can't inject anything in that string because it would open the door to SQL injections. For instance, if your variable SELECT
*
FROM
"Users"
LEFT JOIN (
SELECT
*
FROM
CROSSTAB ($$
SELECT
"Appointments"."userId" AS "userId",
ROW_NUMBER() OVER (PARTITION BY "Appointments"."userId" ORDER BY "Appointments"."startDate" ASC) AS "appointmentNumber",
TO_CHAR("Appointments"."startDate", '$$') AS "appointmentDate"
FROM
"Appointments"
$$) AS "ct" ("patientId" uuid, "appointment1" text)) AS "UserAppointments" ON "UserAppointments"."patientId" = "Users"."id"
WHERE
"Users"."type" IN (1) As far as I know, it's impossible to escape the end of string delimiter The best you can do in this instance is to ensure |
I can confirm that I could replicate the issue with a test as small as this: sequelize.query(`SELECT $$ $$ (:userTypes)`, {
replacements: {
userTypes: 'def'
}
}) |
🎉 This issue has been resolved in version 6.25.7 🎉 The release is available on: Your semantic-release bot 📦🚀 |
@ephys hi, thanks for the blazing fast fix!⚡️ just wanna share one thing. not sure if this was intended, but after installing v6.25.7, everything seems to work fine, however you might wanna take a look? thanks! |
That would be very very bad, I'll take a look asap |
You may be interested in this: I've included an idea in feature request #14299 to support injecting replacements inside of strings delimited by |
🎉 This issue has been resolved in version 6.29.3 🎉 The release is available on: Your semantic-release bot 📦🚀 |
Issue Creation Checklist
Bug Description
Replacements don't work properly when using
$$
to tell the start and end of function. Seems like when$$
is used, it treats them as between string, even though it's outside of$$
Issue happened starting with v6.19.1
Reproducible Example
What do you expect to happen?
:userTypes
and:dateFormat
should be replacedWhat is actually happening?
it throws error
syntax error at or near ":"
, since it didn't replace both:userTypes
and:dateFormat
.After further checking, I noticed this started happened with version v6.19.1
Current workaround is to replace
$$
with single quote'
and replace anything in between$$
with actual value since replacement doesn't work here as well and it will throwsyntax error at or near ":"
error.Environment
Would you be willing to resolve this issue by submitting a Pull Request?
Indicate your interest in the resolution of this issue by adding the 👍 reaction. Comments such as "+1" will be removed.
The text was updated successfully, but these errors were encountered: