Merge branch 'master' of git://github.com/wyplay/sequelize into wyplay-master

changelog.md

 # v1.7.0 #
+- [BUG] Fix string escape with postgresql on raw SQL queries/ [#586](https://github.com/sequelize/sequelize/pull/586). thanks to zanamixx
 - [BUG] "order by" is now after "group by". [#585](https://github.com/sequelize/sequelize/pull/585). thanks to mekanics
 - [BUG] Added decimal support for min/max. [#583](https://github.com/sequelize/sequelize/pull/583). thanks to durango
 - [FEATURE] Schematics. [#564](https://github.com/sequelize/sequelize/pull/564). thanks to durango

lib/sequelize.js

@@ -202,7 +202,7 @@ module.exports = (function() {
 
   Sequelize.prototype.query = function(sql, callee, options, replacements) {
     if (arguments.length === 4) {
-      sql = Utils.format([sql].concat(replacements))
+      sql = Utils.format([sql].concat(replacements), this.options.dialect)
     } else if (arguments.length === 3) {
       options = options
     } else if (arguments.length === 2) {

lib/sql-string.js

@@ -7,7 +7,7 @@ SqlString.escapeId = function (val, forbidQualified) {
   return '`' + val.replace(/`/g, '``').replace(/\./g, '`.`') + '`';
 };
 
-SqlString.escape = function(val, stringifyObjects, timeZone) {
+SqlString.escape = function(val, stringifyObjects, timeZone, dialect) {
   if (val === undefined || val === null) {
     return 'NULL';
   }
@@ -37,17 +37,22 @@ SqlString.escape = function(val, stringifyObjects, timeZone) {
     }
   }
 
-  val = val.replace(/[\0\n\r\b\t\\\'\"\x1a]/g, function(s) {
-    switch(s) {
-      case "\0": return "\\0";
-      case "\n": return "\\n";
-      case "\r": return "\\r";
-      case "\b": return "\\b";
-      case "\t": return "\\t";
-      case "\x1a": return "\\Z";
-      default: return "\\"+s;
-    }
-  });
+  if (dialect == "postgres") {
+    // http://www.postgresql.org/docs/8.2/static/sql-syntax-lexical.html#SQL-SYNTAX-STRINGS
+    val = val.replace(/'/g, "''");
+  } else {
+    val = val.replace(/[\0\n\r\b\t\\\'\"\x1a]/g, function(s) {
+      switch(s) {
+        case "\0": return "\\0";
+        case "\n": return "\\n";
+        case "\r": return "\\r";
+        case "\b": return "\\b";
+        case "\t": return "\\t";
+        case "\x1a": return "\\Z";
+        default: return "\\"+s;
+      }
+    });
+  }
   return "'"+val+"'";
 };
 
@@ -58,7 +63,7 @@ SqlString.arrayToList = function(array, timeZone) {
   }).join(', ');
 };
 
-SqlString.format = function(sql, values, timeZone) {
+SqlString.format = function(sql, values, timeZone, dialect) {
   values = [].concat(values);
 
   return sql.replace(/\?/g, function(match) {
@@ -66,7 +71,7 @@ SqlString.format = function(sql, values, timeZone) {
       return match;
     }
 
-    return SqlString.escape(values.shift(), false, timeZone);
+    return SqlString.escape(values.shift(), false, timeZone, dialect);
   });
 };
 

lib/utils.js

@@ -47,8 +47,9 @@ var Utils = module.exports = {
   escape: function(s) {
     return SqlString.escape(s, true, "local").replace(/\\"/g, '"')
   },
-  format: function(arr) {
-    return SqlString.format(arr.shift(), arr)
+  format: function(arr, dialect) {
+    var timeZone = null;
+    return SqlString.format(arr.shift(), arr, timeZone, dialect)
   },
   isHash: function(obj) {
     return Utils._.isObject(obj) && !Array.isArray(obj);