Escape Parameters (#9)

Heqing Ya · web-flow · commit a32b90b559e4 · 2022-06-16T12:11:58.000-07:00
* escape parameters

* fix test

* rename const
diff --git a/connection.go b/connection.go
@@ -65,7 +65,10 @@ func (c *Conn) QueryContext(ctx context.Context, q string, args []driver.NamedVa
 	}
 
 	tmpl := template(q)
-	stmt := statement(tmpl, args)
+	stmt, err := statement(tmpl, args)
+	if err != nil {
+		return nil, err
+	}
 	return query(ctx, session, stmt)
 }
 
@@ -77,7 +80,10 @@ func (c *Conn) ExecContext(ctx context.Context, q string, args []driver.NamedVal
 	}
 
 	tmpl := template(q)
-	stmt := statement(tmpl, args)
+	stmt, err := statement(tmpl, args)
+	if err != nil {
+		return nil, err
+	}
 	return exec(ctx, session, stmt)
 }
 
diff --git a/escaper.go b/escaper.go
@@ -0,0 +1,29 @@
+package dbsql
+
+import (
+	"database/sql/driver"
+	"fmt"
+	"strings"
+	"time"
+)
+
+const (
+	TimeFmt = "2006-01-02T15:04:05.999-07:00"
+)
+
+func EscapeArg(arg driver.NamedValue) (string, error) {
+	switch v := arg.Value.(type) {
+	case int64:
+		return fmt.Sprintf("%v", v), nil
+	case float64:
+		return fmt.Sprintf("%v", v), nil
+	case bool:
+		return fmt.Sprintf("%v", v), nil
+	case string:
+		return fmt.Sprintf("'%v'", strings.ReplaceAll(v, "'", "''")), nil
+	case time.Time:
+		return "'" + v.Format(TimeFmt) + "'", nil
+	default:
+		return "", fmt.Errorf("unsupported parameter type %T for value %v", v, v)
+	}
+}
diff --git a/escaper_test.go b/escaper_test.go
@@ -0,0 +1,31 @@
+package dbsql
+
+import (
+	"database/sql/driver"
+	"testing"
+	"time"
+)
+
+func TestEscaper(t *testing.T) {
+	testcases := []struct {
+		Value          driver.Value
+		ExpectedOutput string
+	}{
+		{Value: "a'b'c", ExpectedOutput: `'a''b''c'`},
+		{Value: int64(1024), ExpectedOutput: `1024`},
+		{Value: float64(1024.5), ExpectedOutput: `1024.5`},
+		{Value: true, ExpectedOutput: "true"},
+		{Value: time.Date(2020, time.April, 11, 21, 34, 01, 0, time.UTC), ExpectedOutput: "'2020-04-11T21:34:01+00:00'"},
+	}
+
+	for _, test := range testcases {
+		actual, err := EscapeArg(driver.NamedValue{Value: test.Value})
+		if err != nil {
+			t.Error(err)
+		}
+		if actual != test.ExpectedOutput {
+			t.Errorf("expecting %v, actual value: %v", test.ExpectedOutput, actual)
+		}
+
+	}
+}
diff --git a/statement.go b/statement.go
@@ -64,7 +64,10 @@ func (s *Stmt) QueryContext(ctx context.Context, args []driver.NamedValue) (driv
 	if err != nil {
 		return nil, err
 	}
-	stmt := statement(s.stmt, args)
+	stmt, err := statement(s.stmt, args)
+	if err != nil {
+		return nil, err
+	}
 	return query(ctx, session, stmt)
 }
 
@@ -74,7 +77,10 @@ func (s *Stmt) ExecContext(ctx context.Context, args []driver.NamedValue) (drive
 	if err != nil {
 		return nil, err
 	}
-	stmt := statement(s.stmt, args)
+	stmt, err := statement(s.stmt, args)
+	if err != nil {
+		return nil, err
+	}
 	return exec(ctx, session, stmt)
 }
 
@@ -92,7 +98,7 @@ func template(query string) string {
 	return query
 }
 
-func statement(tmpl string, args []driver.NamedValue) string {
+func statement(tmpl string, args []driver.NamedValue) (string, error) {
 	stmt := tmpl
 	for _, arg := range args {
 		var re *regexp.Regexp
@@ -101,10 +107,14 @@ func statement(tmpl string, args []driver.NamedValue) string {
 		} else {
 			re = regexp.MustCompile(fmt.Sprintf("@p%d%s", arg.Ordinal, `\b`))
 		}
-		val := fmt.Sprintf("%v", arg.Value)
+		escaped, err := EscapeArg(arg)
+		if err != nil {
+			return "", err
+		}
+		val := fmt.Sprintf("%v", escaped)
 		stmt = re.ReplaceAllString(stmt, val)
 	}
-	return stmt
+	return stmt, nil
 }
 
 func query(ctx context.Context, session *hive.Session, stmt string) (driver.Rows, error) {
diff --git a/statement_test.go b/statement_test.go
@@ -16,7 +16,7 @@ func TestStatement(t *testing.T) {
 			args: []driver.NamedValue{
 				{Ordinal: 1, Value: "val_1"},
 			},
-			target: "val_1 p1",
+			target: "'val_1' p1",
 		},
 		{
 			stmt: "@p1 @p10 @p11 @named @named1 @p1",
@@ -25,12 +25,15 @@ func TestStatement(t *testing.T) {
 				{Ordinal: 10, Name: "named", Value: "val_named"},
 				{Ordinal: 11, Value: "val_11"},
 			},
-			target: "val_1 @p10 val_11 val_named @named1 val_1",
+			target: "'val_1' @p10 'val_11' 'val_named' @named1 'val_1'",
 		},
 	}
 
 	for _, tt := range tests {
-		result := statement(tt.stmt, tt.args)
+		result, err := statement(tt.stmt, tt.args)
+		if err != nil {
+			t.Error(err)
+		}
 
 		if result != tt.target {
 			t.Fatalf("mismatch for statement: %q\n\ttarget: %q\n\tresult: %q", tt.stmt, tt.target, result)

Original file line number	Diff line number	Diff line change
`@@ -65,7 +65,10 @@ func (c *Conn) QueryContext(ctx context.Context, q string, args []driver.NamedVa`
`65`	`65`	`}`
`66`	`66`
`67`	`67`	`tmpl := template(q)`
`68`		`- stmt := statement(tmpl, args)`
	`68`	`+ stmt, err := statement(tmpl, args)`
	`69`	`+ if err != nil {`
	`70`	`+ return nil, err`
	`71`	`+ }`
`69`	`72`	`return query(ctx, session, stmt)`
`70`	`73`	`}`
`71`	`74`
`@@ -77,7 +80,10 @@ func (c *Conn) ExecContext(ctx context.Context, q string, args []driver.NamedVal`
`77`	`80`	`}`
`78`	`81`
`79`	`82`	`tmpl := template(q)`
`80`		`- stmt := statement(tmpl, args)`
	`83`	`+ stmt, err := statement(tmpl, args)`
	`84`	`+ if err != nil {`
	`85`	`+ return nil, err`
	`86`	`+ }`
`81`	`87`	`return exec(ctx, session, stmt)`
`82`	`88`	`}`
`83`	`89`
Original file line number	Diff line number	Diff line change
`@@ -64,7 +64,10 @@ func (s *Stmt) QueryContext(ctx context.Context, args []driver.NamedValue) (driv`
`64`	`64`	`if err != nil {`
`65`	`65`	`return nil, err`
`66`	`66`	`}`
`67`		`- stmt := statement(s.stmt, args)`
	`67`	`+ stmt, err := statement(s.stmt, args)`
	`68`	`+ if err != nil {`
	`69`	`+ return nil, err`
	`70`	`+ }`
`68`	`71`	`return query(ctx, session, stmt)`
`69`	`72`	`}`
`70`	`73`
`@@ -74,7 +77,10 @@ func (s *Stmt) ExecContext(ctx context.Context, args []driver.NamedValue) (drive`
`74`	`77`	`if err != nil {`
`75`	`78`	`return nil, err`
`76`	`79`	`}`
`77`		`- stmt := statement(s.stmt, args)`
	`80`	`+ stmt, err := statement(s.stmt, args)`
	`81`	`+ if err != nil {`
	`82`	`+ return nil, err`
	`83`	`+ }`
`78`	`84`	`return exec(ctx, session, stmt)`
`79`	`85`	`}`
`80`	`86`
`@@ -92,7 +98,7 @@ func template(query string) string {`
`92`	`98`	`return query`
`93`	`99`	`}`
`94`	`100`
`95`		`-func statement(tmpl string, args []driver.NamedValue) string {`
	`101`	`+func statement(tmpl string, args []driver.NamedValue) (string, error) {`
`96`	`102`	`stmt := tmpl`
`97`	`103`	`for _, arg := range args {`
`98`	`104`	`var re *regexp.Regexp`
`@@ -101,10 +107,14 @@ func statement(tmpl string, args []driver.NamedValue) string {`
`101`	`107`	`} else {`
`102`	`108`	re = regexp.MustCompile(fmt.Sprintf("@p%d%s", arg.Ordinal, `\b`))
`103`	`109`	`}`
`104`		`- val := fmt.Sprintf("%v", arg.Value)`
	`110`	`+ escaped, err := EscapeArg(arg)`
	`111`	`+ if err != nil {`
	`112`	`+ return "", err`
	`113`	`+ }`
	`114`	`+ val := fmt.Sprintf("%v", escaped)`
`105`	`115`	`stmt = re.ReplaceAllString(stmt, val)`
`106`	`116`	`}`
`107`		`- return stmt`
	`117`	`+ return stmt, nil`
`108`	`118`	`}`
`109`	`119`
`110`	`120`	`func query(ctx context.Context, session *hive.Session, stmt string) (driver.Rows, error) {`