Support writing string literals from Constant<String>

Fixes #137
2019-09-06 22:37:15 +02:00 · 2019-09-06 22:37:15 +02:00 · 1130101f1f
parent 71d1bfdc9c
commit 1130101f1f
3 changed files with 39 additions and 11 deletions
--- a/moor/lib/src/runtime/expressions/variables.dart
+++ b/moor/lib/src/runtime/expressions/variables.dart
@ -67,14 +67,8 @@ class Constant<T, S extends SqlType<T>> extends Expression<T, S> {

  @override
  void writeInto(GenerationContext context) {
-    // Instead of writing string literals (which we don't support because of
-    // possible sql injections), just write the variable.
-    if (value is String) {
-      _writeVariableIntoContext(context, value);
-    } else {
-      final type = context.typeSystem.forDartType<T>();
-      context.buffer.write(type.mapToSqlConstant(value));
-    }
+    final type = context.typeSystem.forDartType<T>();
+    context.buffer.write(type.mapToSqlConstant(value));
  }
 }

--- a/moor/lib/src/types/sql_types.dart
+++ b/moor/lib/src/types/sql_types.dart
@ -56,9 +56,13 @@ class StringType extends SqlType<String> {

  @override
  String mapToSqlConstant(String content) {
-    // TODO: implement mapToSqlConstant, we would probably have to take care
-    // of sql injection vulnerabilities here
-    throw UnimplementedError("Strings can't be mapped to sql literals yet");
+    // From the sqlite docs: (https://www.sqlite.org/lang_expr.html)
+    // A string constant is formed by enclosing the string in single quotes (').
+    // A single quote within the string can be encoded by putting two single
+    // quotes in a row - as in Pascal. C-style escapes using the backslash
+    // character are not supported because they are not standard SQL.
+    final escapedChars = content.replaceAll('\'', '\'\'');
+    return "'$escapedChars'";
  }

  @override
--- a/moor/test/expressions/constant_test.dart
+++ b/moor/test/expressions/constant_test.dart
@ -0,0 +1,30 @@
+import 'package:moor/moor.dart';
+import 'package:moor/src/runtime/components/component.dart';
+import 'package:test_api/test_api.dart';
+
+import '../data/tables/todos.dart';
+
+void main() {
+  group('string literals', () {
+    test('can be written as constants', () {
+      testStringMapping('hello world', "'hello world'");
+    });
+
+    test('supports escaping snigle quotes', () {
+      testStringMapping('what\'s that?', "'what\'\'s that?'");
+    });
+
+    test('other chars are not escaped', () {
+      testStringMapping('\\\$"', "'\\\$\"'");
+    });
+  });
+}
+
+void testStringMapping(String dart, String expectedLiteral) {
+  final ctx = GenerationContext.fromDb(TodoDb(null));
+  final constant = Constant(dart);
+
+  constant.writeInto(ctx);
+
+  expect(ctx.sql, expectedLiteral);
+}