Merge branch 'pg-quoting2' of git://github.com/aslakhellesoy/sequelize into asla…

…khellesoy-pg-quoting2

lib/dialects/postgres/query-generator.js

@@ -13,15 +13,23 @@ function addQuotes(s, quoteChar) {
   return s.split('.').map(function(e) { return quoteChar + String(e) + quoteChar }).join('.')
 }
 
-function pgEscape(s) {
-  s = Utils.escape(s)
+function pgEscape(val) {
+  if (val === undefined || val === null) {
+    return 'NULL';
+  }
+
+  switch (typeof val) {
+    case 'boolean': return (val) ? 'true' : 'false';
+    case 'number': return val+'';
+  }
 
-  if (typeof s == 'string') {
-    // http://www.postgresql.org/docs/8.2/static/sql-syntax-lexical.html#SQL-SYNTAX-STRINGS
-    s = s.replace(/\\'/g, "''")
+  if (val instanceof Date) {
+    val = pgSqlDate(val);
   }
 
-  return s
+  // http://www.postgresql.org/docs/8.2/static/sql-syntax-lexical.html#SQL-SYNTAX-STRINGS
+  val = val.replace(/'/g, "''");
+  return "'"+val+"'";
 }
 
 function padInt(i) {
@@ -264,7 +272,7 @@ module.exports = (function() {
         table: addQuotes(tableName),
         attributes: Utils._.keys(attrValueHash).map(function(attr){return addQuotes(attr)}).join(","),
         values: Utils._.values(attrValueHash).map(function(value){
-          return pgEscape((value instanceof Date) ? pgSqlDate(value) : value)
+          return pgEscape(value)
         }).join(",")
       }
 
@@ -279,7 +287,7 @@ module.exports = (function() {
 
       for (var key in attrValueHash) {
         var value = attrValueHash[key]
-        values.push(addQuotes(key) + "=" + pgEscape((value instanceof Date) ? pgSqlDate(value) : value))
+        values.push(addQuotes(key) + "=" + pgEscape(value))
       }
 
       var replacements = {

spec-jasmine/dao.spec.js

@@ -31,6 +31,30 @@ describe('DAO', function() {
       beforeEach(function() { Helpers.dropAllTables(); setup() })
       afterEach(function() { Helpers.dropAllTables() })
 
+      describe('Escaping', function() {
+        it('is done properly for special characters', function() {
+          var User = sequelize.define('User', {
+            bio: Sequelize.TEXT
+          }, { timestamps: false, logging: false })
+
+          Helpers.async(function(done) {
+            User.sync({ force: true }).success(done)
+          })
+
+          Helpers.async(function(done) {
+            // Ideally we should test more: "\0\n\r\b\t\\\'\"\x1a"
+            // But this causes sqlite to fail and exits the entire test suite immediately
+            var bio = dialect + "'\"\n"; // Need to add the dialect here so in case of failure I know what DB it failed for
+            User.create({ bio: bio }).success(function(u1) {
+              User.find(u1.id).success(function(u2) {
+                expect(u2.bio).toEqual(bio)
+                done()
+              })
+            })
+          })
+        })
+      })
+
       describe('isNewRecord', function() {
         it('returns true for non-saved objects', function() {
           var user = User.build({ username: 'user' })
@@ -310,7 +334,6 @@ describe('DAO', function() {
         })
       })
 
-
     })
   })
 })

spec-jasmine/postgres/query-generator.spec.js

@@ -119,6 +119,9 @@ describe('QueryGenerator', function() {
         arguments: ['mySchema.myTable', {name: 'foo'}],
         expectation: "INSERT INTO \"mySchema\".\"myTable\" (\"name\") VALUES ('foo') RETURNING *;"
       }, {
+        arguments: ['mySchema.myTable', {name: JSON.stringify({info: 'Look ma a " quote'})}],
+        expectation: "INSERT INTO \"mySchema\".\"myTable\" (\"name\") VALUES ('{\"info\":\"Look ma a \\\" quote\"}') RETURNING *;"
+      }, {
         arguments: ['mySchema.myTable', {name: "foo';DROP TABLE mySchema.myTable;"}],
         expectation: "INSERT INTO \"mySchema\".\"myTable\" (\"name\") VALUES ('foo'';DROP TABLE mySchema.myTable;') RETURNING *;"
       }