Use variables instead of failing to write string literals

Fixes #88

moor/lib/src/runtime/executor/executor.dart

@@ -40,7 +40,7 @@ abstract class QueryExecutor {
 
   /// Runs a custom SQL statement without any variables. The result of that
   /// statement will be ignored.
-  Future<void> runCustom(String statement);
+  Future<void> runCustom(String statement, [List<dynamic> args]);
 
   /// Prepares the [statements] and then executes each one with all of the
   /// [BatchedStatement.variables].

moor/lib/src/runtime/executor/helpers/engines.dart

@@ -63,10 +63,11 @@ mixin _ExecutorWithQueryDelegate on QueryExecutor {
   }
 
   @override
-  Future<void> runCustom(String statement) {
+  Future<void> runCustom(String statement, [List<dynamic> args]) {
     return _synchronized(() {
-      _log(statement, const []);
-      return impl.runCustom(statement, const []);
+      final resolvedArgs = args ?? const [];
+      _log(statement, resolvedArgs);
+      return impl.runCustom(statement, resolvedArgs);
     });
   }
 

moor/lib/src/runtime/expressions/variables.dart

@@ -45,25 +45,18 @@ class Variable<T, S extends SqlType<T>> extends Expression<T, S> {
   /// database engine. For instance, a [DateTime] will me mapped to its unix
   /// timestamp.
   dynamic mapToSimpleValue(GenerationContext context) {
-    final type = context.typeSystem.forDartType<T>();
-    return type.mapToSqlVariable(value);
+    return _mapToSimpleValue(context, value);
   }
 
   @override
   void writeInto(GenerationContext context) {
-    if (value != null) {
-      context.buffer.write('?');
-      context.introduceVariable(mapToSimpleValue(context));
-    } else {
-      context.buffer.write('NULL');
-    }
+    _writeVariableIntoContext(context, value);
   }
 }
 
 /// An expression that represents the value of a dart object encoded to sql
-/// by writing them into the sql statements. This is not supported for all types
-/// yet as it can be vulnerable to SQL-injection attacks. Please use [Variable]
-/// instead.
+/// by writing them into the sql statements. For most cases, consider using
+/// [Variable] instead.
 class Constant<T, S extends SqlType<T>> extends Expression<T, S> {
   const Constant(this.value);
 
@@ -74,7 +67,27 @@ class Constant<T, S extends SqlType<T>> extends Expression<T, S> {
 
   @override
   void writeInto(GenerationContext context) {
-    final type = context.typeSystem.forDartType<T>();
-    context.buffer.write(type.mapToSqlConstant(value));
+    // Instead of writing string literals (which we don't support because of
+    // possible sql injections), just write the variable.
+    if (value is String) {
+      _writeVariableIntoContext(context, value);
+    } else {
+      final type = context.typeSystem.forDartType<T>();
+      context.buffer.write(type.mapToSqlConstant(value));
+    }
   }
 }
+
+void _writeVariableIntoContext<T>(GenerationContext context, T value) {
+  if (value != null) {
+    context.buffer.write('?');
+    context.introduceVariable(_mapToSimpleValue<T>(context, value));
+  } else {
+    context.buffer.write('NULL');
+  }
+}
+
+dynamic _mapToSimpleValue<T>(GenerationContext context, T value) {
+  final type = context.typeSystem.forDartType<T>();
+  return type.mapToSqlVariable(value);
+}

moor/lib/src/runtime/migration.dart

@@ -57,7 +57,7 @@ class MigrationStrategy {
 }
 
 /// A function that executes queries and ignores what they return.
-typedef Future<void> SqlExecutor(String sql);
+typedef Future<void> SqlExecutor(String sql, [List<dynamic> args]);
 
 class Migrator {
   final GeneratedDatabase _db;
@@ -72,7 +72,9 @@ class Migrator {
 
   GenerationContext _createContext() {
     return GenerationContext(
-        _db.typeSystem, _SimpleSqlAsQueryExecutor(_executor));
+      _db.typeSystem,
+      _SimpleSqlAsQueryExecutor(_executor),
+    );
   }
 
   /// Creates the given table if it doesn't exist
@@ -115,7 +117,7 @@ class Migrator {
 
     context.buffer.write(');');
 
-    return issueCustomQuery(context.sql);
+    return issueCustomQuery(context.sql, context.boundVariables);
   }
 
   /// Deletes the table with the given name. Note that this function does not
@@ -136,8 +138,8 @@ class Migrator {
   }
 
   /// Executes the custom query.
-  Future<void> issueCustomQuery(String sql) async {
-    return _executor(sql);
+  Future<void> issueCustomQuery(String sql, [List<dynamic> args]) async {
+    return _executor(sql, args);
   }
 }
 
@@ -181,8 +183,8 @@ class _SimpleSqlAsQueryExecutor extends QueryExecutor {
   }
 
   @override
-  Future<void> runCustom(String statement) {
-    return executor(statement);
+  Future<void> runCustom(String statement, [List<dynamic> args]) {
+    return executor(statement, args);
   }
 
   @override

moor/test/data/utils/mocks.dart

@@ -47,7 +47,7 @@ class MockStreamQueries extends Mock implements StreamQueryStore {}
 
 // used so that we can mock the SqlExecutor typedef
 abstract class SqlExecutorAsClass {
-  Future<void> call(String sql);
+  Future<void> call(String sql, [List<dynamic> args]);
 }
 
 class MockQueryExecutor extends Mock implements SqlExecutorAsClass {}

moor/test/schema_test.dart

@@ -20,46 +20,58 @@ void main() {
       await Migrator(db, mockQueryExecutor).createAllTables();
 
       // should create todos, categories, users and shared_todos table
-      verify(mockQueryExecutor.call('CREATE TABLE IF NOT EXISTS todos '
+      verify(mockQueryExecutor.call(
+          'CREATE TABLE IF NOT EXISTS todos '
           '(id INTEGER PRIMARY KEY AUTOINCREMENT, title VARCHAR NULL, '
           'content VARCHAR NOT NULL, target_date INTEGER NULL, '
-          'category INTEGER NULL);'));
+          'category INTEGER NULL);',
+          []));
 
-      verify(mockQueryExecutor.call('CREATE TABLE IF NOT EXISTS categories '
-          '(id INTEGER PRIMARY KEY AUTOINCREMENT, `desc` VARCHAR NOT NULL UNIQUE);'));
+      verify(mockQueryExecutor.call(
+          'CREATE TABLE IF NOT EXISTS categories '
+          '(id INTEGER PRIMARY KEY AUTOINCREMENT, `desc` VARCHAR NOT NULL UNIQUE);',
+          []));
 
-      verify(mockQueryExecutor.call('CREATE TABLE IF NOT EXISTS users '
+      verify(mockQueryExecutor.call(
+          'CREATE TABLE IF NOT EXISTS users '
           '(id INTEGER PRIMARY KEY AUTOINCREMENT, name VARCHAR NOT NULL, '
           'is_awesome BOOLEAN NOT NULL DEFAULT 1 CHECK (is_awesome in (0, 1)), '
           'profile_picture BLOB NOT NULL, '
           'creation_time INTEGER NOT NULL '
-          "DEFAULT (strftime('%s', CURRENT_TIMESTAMP)));"));
+          "DEFAULT (strftime('%s', CURRENT_TIMESTAMP)));",
+          []));
 
-      verify(mockQueryExecutor.call('CREATE TABLE IF NOT EXISTS shared_todos ('
+      verify(mockQueryExecutor.call(
+          'CREATE TABLE IF NOT EXISTS shared_todos ('
           'todo INTEGER NOT NULL, '
           'user INTEGER NOT NULL, '
           'PRIMARY KEY (todo, user), '
           'FOREIGN KEY (todo) REFERENCES todos(id), '
           'FOREIGN KEY (user) REFERENCES users(id)'
-          ');'));
+          ');',
+          []));
 
-      verify(mockQueryExecutor.call('CREATE TABLE IF NOT EXISTS '
+      verify(mockQueryExecutor.call(
+          'CREATE TABLE IF NOT EXISTS '
           'table_without_p_k ('
           'not_really_an_id INTEGER NOT NULL, '
           'some_float REAL NOT NULL, '
           'custom VARCHAR NOT NULL'
-          ');'));
+          ');',
+          []));
     });
 
     test('creates individual tables', () async {
       await Migrator(db, mockQueryExecutor).createTable(db.users);
 
-      verify(mockQueryExecutor.call('CREATE TABLE IF NOT EXISTS users '
+      verify(mockQueryExecutor.call(
+          'CREATE TABLE IF NOT EXISTS users '
           '(id INTEGER PRIMARY KEY AUTOINCREMENT, name VARCHAR NOT NULL, '
           'is_awesome BOOLEAN NOT NULL DEFAULT 1 CHECK (is_awesome in (0, 1)), '
           'profile_picture BLOB NOT NULL, '
           'creation_time INTEGER NOT NULL '
-          "DEFAULT (strftime('%s', CURRENT_TIMESTAMP)));"));
+          "DEFAULT (strftime('%s', CURRENT_TIMESTAMP)));",
+          []));
     });
 
     test('drops tables', () async {