Fields should be escaped by quoteIdentifier for max/min functions which allows S…

…QL reserved keywords to be used. Closes #676

Fields should be escaped by quoteIdentifier for max/min functions which allows S…
…QL reserved keywords to be used. Closes #676
Daniel Durante
Commit e32b9e26 authored Jun 19, 2013 by Daniel Durante
Showing with 13 additions and 3 deletions
lib/dao-factory.js
spec/dao-factory.spec.js
--- a/lib/dao-factory.js
+++ b/lib/dao-factory.js
@@ -299,14 +299,14 @@ module.exports = (function() {

  DAOFactory.prototype.max = function(field, options) {
    options = Utils._.extend({ attributes: [] }, options || {})
-    options.attributes.push(['max(' + field + ')', 'max'])
+    options.attributes.push(['max(' + this.QueryInterface.QueryGenerator.quoteIdentifier(field) + ')', 'max'])
    options.parseFloat = true

    return this.QueryInterface.rawSelect(this.getTableName(), options, 'max')
  }
  DAOFactory.prototype.min = function(field, options) {
    options = Utils._.extend({ attributes: [] }, options || {})
-    options.attributes.push(['min(' + field + ')', 'min'])
+    options.attributes.push(['min(' + this.QueryInterface.QueryGenerator.quoteIdentifier(field) + ')', 'min'])
    options.parseFloat = true

    return this.QueryInterface.rawSelect(this.getTableName(), options, 'min')

--- a/spec/dao-factory.spec.js
+++ b/spec/dao-factory.spec.js
@@ -1635,7 +1635,8 @@ describe(Helpers.getTestDialectTeaser("DAOFactory"), function() {
  describe('max', function() {
    before(function(done) {
      this.UserWithAge = this.sequelize.define('UserWithAge', {
-        age: Sequelize.INTEGER
+        age: Sequelize.INTEGER,
+        order: Sequelize.INTEGER
      })

      this.UserWithDec = this.sequelize.define('UserWithDec', {
@@ -1647,6 +1648,15 @@ describe(Helpers.getTestDialectTeaser("DAOFactory"), function() {
      }.bind(this))
    })

+    it("should return the max value for a field named the same as an SQL reserved keyword", function(done) {
+      this.UserWithAge.create({age: 3, order: 5}).success(function(){
+        this.UserWithAge.max('order').success(function(max) {
+          expect(max).toEqual(5)
+          done()
+        })
+      }.bind(this))
+    })
+
    it("should return the max value", function(done) {
      this.UserWithAge.create({ age: 2 }).success(function() {
        this.UserWithAge.create({ age: 3 }).success(function() {