fix(index): escape single quote characters

Peter Svetlichny · Peter Svetlichny · commit 410355bb1412 · 2017-09-26T14:03:47.000-07:00
diff --git a/src/index.js b/src/index.js
@@ -74,7 +74,7 @@ module.exports = class {
           if (typeof data[key] === 'object' && data[key] !== null) {
             data[key] = JSON.stringify(data[key])
           }
-          vals.push(`'${data[key]}'`)
+          vals.push(typeof data[key] === 'string' ? `'${data[key].replace(/'/g, "''")}'` : data[key])
           acc.push(key)
           return acc
         }, [])
@@ -122,6 +122,7 @@ module.exports = class {
             if (typeof data[key] === 'object' && data[key] !== null) {
               data[key] = JSON.stringify(data[key])
             }
+            if (typeof data[key] === 'string') data[key] = data[key].replace(/'/g, "''")
             let comma = (i !== len) ? ', ' : ''
             changes += `${key}='${data[key]}'${comma}`
             i++
diff --git a/test/fixtures/postgres.fixture.js b/test/fixtures/postgres.fixture.js
@@ -9,6 +9,7 @@ fixd.postgres = {
     fname: 'John',
     lname: 'Smith',
     email: 'jsmith@gmail.com',
+    age: 30,
     address: {
       street: '123 Fake St',
       city: 'Nashville'
@@ -19,6 +20,7 @@ fixd.postgres = {
     fname: [ 'varchar(255)' ],
     lname: [ 'varchar(255)' ],
     email: [ 'varchar(255)' ],
+    age: [ 'integer' ],
     address: [ 'jsonb' ]
   }
 }
diff --git a/test/src/index.spec.js b/test/src/index.spec.js
@@ -9,8 +9,6 @@ describe('postgres', () => {
     inst.tableName = 'foo'
     // Mock validation method, this is automatically done by the model
     inst.validate = (body) => Promise.resolve(body)
-    // Mock sanitize method, this is automatically done by the model
-    inst.sanitize = (body) => body
   })
   after(() => inst.pg.end())
   describe('query', () => {
@@ -50,9 +48,12 @@ describe('postgres', () => {
     })
   })
   describe('read', () => {
-    it('reads all when no query specified', () => {
+    afterEach(() => { inst.sanitize = null })
+    it('reads all when no query specified, calling existing sanitize method', () => {
+      inst.sanitize = sandbox.spy(body => body)
       return inst.read()
         .then((res) => {
+          expect(inst.sanitize).to.be.calledOnce()
           expect(res.length).to.equal(1)
           expect(res[0].email).to.equal(fixd.postgres.testData.email)
         })
@@ -73,7 +74,8 @@ describe('postgres', () => {
       const query = 'fname=\'John\''
       const body = {
         fname: 'Bob',
-        email: 'bsmith@gmail.com'
+        email: 'bsmith@gmail.com',
+        age: 31
       }
       return inst.update(query, body)
         .then((res) => {
