Fix string escaping for sqlite

SQLite was defaulting to the MySQL backslash-escaped style, but it uses postgres-style escaping. This is a SQL-injection vulnerability, and shouldn't be taken lightly (although SQLite is mostly for testing).

Fix string escaping for sqlite
SQLite was defaulting to the MySQL backslash-escaped style, but it uses postgres-style escaping. This is a SQL-injection vulnerability, and shouldn't be taken lightly (although SQLite is mostly for testing).
Benjamin Woodruff
Commit c876192a authored Jun 14, 2013 by Benjamin Woodruff
Showing with 2 additions and 1 deletions
lib/sql-string.js
--- a/lib/sql-string.js
+++ b/lib/sql-string.js
@@ -37,8 +37,9 @@ SqlString.escape = function(val, stringifyObjects, timeZone, dialect) {
    }
  }

-  if (dialect == "postgres") {
+  if (dialect === "postgres" || dialect === "sqlite") {
    // http://www.postgresql.org/docs/8.2/static/sql-syntax-lexical.html#SQL-SYNTAX-STRINGS
+    // http://stackoverflow.com/q/603572/130598
    val = val.replace(/'/g, "''");
  } else {
    val = val.replace(/[\0\n\r\b\t\\\'\"\x1a]/g, function(s) {