diff --git a/README.md b/README.md
index 3392416..adc098e 100755
--- a/README.md
+++ b/README.md
@@ -45,6 +45,10 @@ A node query builder for various SQL databases, based on CodeIgniter's query bui
// Database module result handling
});
+### Security notes
+As of version 2, `where` and `having` type methods parse the values passed to look for function calls. While values passed are still passed as query parameters, take care to avoid passing these kinds of methods unfiltered input. SQL function arguments are not currently parsed, so they need to be properly escaped for the current database.
+
+
### Additional help
* Generated documentation is in the docs/ folder
diff --git a/docs/adapter.js.html b/docs/adapter.js.html
index cd0cfef..26fdab5 100644
--- a/docs/adapter.js.html
+++ b/docs/adapter.js.html
@@ -92,15 +92,6 @@ module.exports = {
*/
execute: function(sql, params, callback) {
throw new Error("Correct adapter not defined for query execution");
- },
-
- /**
- * Close the connection that is open on the current adapter
- *
- * @return void
- */
- close: function() {
- throw new Error("Close method not defined for the current adapter");
}
};
diff --git a/docs/driver.js.html b/docs/driver.js.html
index 887d66c..e9c5d08 100644
--- a/docs/driver.js.html
+++ b/docs/driver.js.html
@@ -99,8 +99,6 @@ var d = {
* @private
*/
_quote: function(str) {
- //if (/[0-9]+|\'(.*?)\'/ig.test(str)) return str;
-
return (helpers.isString(str) && ! (str.startsWith(d.identifierChar) || str.endsWith(d.identifierChar)))
? d.identifierChar + str + d.identifierChar
: str;
@@ -152,12 +150,6 @@ var d = {
return str.map(d.quoteIdentifiers);
}
-if ( ! helpers.isString(str))
-{
- console.error(str);
- return str;
-}
-
// Handle commas
if (str.contains(','))
{
diff --git a/docs/index.html b/docs/index.html
index fd27b9d..2c6d6b1 100644
--- a/docs/index.html
+++ b/docs/index.html
@@ -130,7 +130,8 @@ query.select('foo')
.limit(2, 3)
.get(function(/* Adapter dependent arguments */) {
// Database module result handling
- });Additional help
+ });Security notes
As of version 2, where and having type methods parse the values passed to look for function calls. While values passed are still passed as query parameters, take care to avoid passing these kinds of methods unfiltered input. SQL function arguments are not currently parsed, so they need to be properly escaped for the current database.
+Additional help
- Generated documentation is in the docs/ folder
tests/query-builder-base.js contains a lot of usage examples- The
tests/adapters folder contains examples of how to set up a connection for the appropriate database library
diff --git a/docs/module-adapter.html b/docs/module-adapter.html
index ebea6d2..85f7cbe 100644
--- a/docs/module-adapter.html
+++ b/docs/module-adapter.html
@@ -152,93 +152,6 @@
--
-
<static> close()
-
-
-
--
-
-
-
-
Close the connection that is open on the current adapter
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- - Source:
- -
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- Returns:
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
<static> execute(sql, params, callback)
diff --git a/lib/adapter.js b/lib/adapter.js
index 5485e41..d0e0a0a 100755
--- a/lib/adapter.js
+++ b/lib/adapter.js
@@ -13,14 +13,5 @@ module.exports = {
*/
execute: function(sql, params, callback) {
throw new Error("Correct adapter not defined for query execution");
- },
-
- /**
- * Close the connection that is open on the current adapter
- *
- * @return void
- */
- close: function() {
- throw new Error("Close method not defined for the current adapter");
}
};
\ No newline at end of file
diff --git a/lib/driver.js b/lib/driver.js
index 6988556..7b77c2c 100755
--- a/lib/driver.js
+++ b/lib/driver.js
@@ -20,8 +20,6 @@ var d = {
* @private
*/
_quote: function(str) {
- //if (/[0-9]+|\'(.*?)\'/ig.test(str)) return str;
-
return (helpers.isString(str) && ! (str.startsWith(d.identifierChar) || str.endsWith(d.identifierChar)))
? d.identifierChar + str + d.identifierChar
: str;
@@ -73,12 +71,6 @@ var d = {
return str.map(d.quoteIdentifiers);
}
-if ( ! helpers.isString(str))
-{
- console.error(str);
- return str;
-}
-
// Handle commas
if (str.contains(','))
{
diff --git a/tests/helpers_test.js b/tests/helpers_test.js
index 0d1c963..f96be15 100644
--- a/tests/helpers_test.js
+++ b/tests/helpers_test.js
@@ -70,12 +70,14 @@ var helperTests = {
'regexInArray': function(test) {
var orig = ['apple', ' string ', 6, 4, 7];
- test.expect(4);
+ test.expect(6);
test.equal(false, helpers.regexInArray(orig, /\$/), 'Dollar sign is not in any of the array items');
test.equal(true, helpers.regexInArray(orig, /^ ?string/), "' string ' matches /^ ?string/");
test.equal(true, helpers.regexInArray(orig, /APPLE/i), "'apple' matches /APPLE/i");
test.equal(false, helpers.regexInArray(orig, /5/), 'None of the numbers in the array match /5/');
+ test.equal(false, helpers.regexInArray(5, /5/), 'First argument is not an array');
+ test.equal(false, helpers.regexInArray([], /.*/), 'Array is empty');
test.done();
}
diff --git a/tests/query-builder-base.js b/tests/query-builder-base.js
index ea037da..56b9c15 100644
--- a/tests/query-builder-base.js
+++ b/tests/query-builder-base.js
@@ -152,13 +152,6 @@ module.exports = (function QueryBuilderTestBase() {
.where('id > 3')
.get(base.testCallback.bind(this, test));
},
- /*'Select with function in WHERE clause': function(test) {
- test.expect(1);
- base.qb.select('id', 'key as k', 'val')
- .from('create_test')
- .where('val !=', 'CURRENT_TIMESTAMP()')
- .get(base.testCallback.bind(this, test));
- },*/
'Select with function and argument in WHERE clause': function(test) {
test.expect(1);
base.qb.select('id')