|
1 | | -var SqlString = exports; |
| 1 | +var SqlString = exports; |
| 2 | +var charsRegex = /[\0\b\t\n\r\x1a\"\'\\]/g; |
| 3 | +var charsMap = { |
| 4 | + '\0': '\\0', |
| 5 | + '\b': '\\b', |
| 6 | + '\t': '\\t', |
| 7 | + '\n': '\\n', |
| 8 | + '\r': '\\r', |
| 9 | + '\x1a': '\\Z', |
| 10 | + '"': '\\"', |
| 11 | + '\'': '\\\'', |
| 12 | + '\\': '\\\\' |
| 13 | +}; |
2 | 14 |
|
3 | 15 | SqlString.escapeId = function escapeId(val, forbidQualified) { |
4 | 16 | if (Array.isArray(val)) { |
@@ -26,40 +38,21 @@ SqlString.escape = function escape(val, stringifyObjects, timeZone) { |
26 | 38 | switch (typeof val) { |
27 | 39 | case 'boolean': return (val) ? 'true' : 'false'; |
28 | 40 | case 'number': return val+''; |
| 41 | + case 'object': |
| 42 | + if (val instanceof Date) { |
| 43 | + val = SqlString.dateToString(val, timeZone || 'local'); |
| 44 | + } else if (Array.isArray(val)) { |
| 45 | + return SqlString.arrayToList(val, timeZone); |
| 46 | + } else if (Buffer.isBuffer(val)) { |
| 47 | + return SqlString.bufferToString(val); |
| 48 | + } else if (stringifyObjects) { |
| 49 | + val = val.toString(); |
| 50 | + } else { |
| 51 | + return SqlString.objectToValues(val, timeZone); |
| 52 | + } |
29 | 53 | } |
30 | 54 |
|
31 | | - if (val instanceof Date) { |
32 | | - val = SqlString.dateToString(val, timeZone || 'local'); |
33 | | - } |
34 | | - |
35 | | - if (Buffer.isBuffer(val)) { |
36 | | - return SqlString.bufferToString(val); |
37 | | - } |
38 | | - |
39 | | - if (Array.isArray(val)) { |
40 | | - return SqlString.arrayToList(val, timeZone); |
41 | | - } |
42 | | - |
43 | | - if (typeof val === 'object') { |
44 | | - if (stringifyObjects) { |
45 | | - val = val.toString(); |
46 | | - } else { |
47 | | - return SqlString.objectToValues(val, timeZone); |
48 | | - } |
49 | | - } |
50 | | - |
51 | | - val = val.replace(/[\0\n\r\b\t\\\'\"\x1a]/g, function(s) { |
52 | | - switch(s) { |
53 | | - case "\0": return "\\0"; |
54 | | - case "\n": return "\\n"; |
55 | | - case "\r": return "\\r"; |
56 | | - case "\b": return "\\b"; |
57 | | - case "\t": return "\\t"; |
58 | | - case "\x1a": return "\\Z"; |
59 | | - default: return "\\"+s; |
60 | | - } |
61 | | - }); |
62 | | - return "'"+val+"'"; |
| 55 | + return escapeString(val); |
63 | 56 | }; |
64 | 57 |
|
65 | 58 | SqlString.arrayToList = function arrayToList(array, timeZone) { |
@@ -156,6 +149,28 @@ SqlString.objectToValues = function objectToValues(object, timeZone) { |
156 | 149 | return sql; |
157 | 150 | }; |
158 | 151 |
|
| 152 | +function escapeString(val) { |
| 153 | + var chunkIndex = charsRegex.lastIndex = 0; |
| 154 | + var escapedVal = ''; |
| 155 | + var match; |
| 156 | + |
| 157 | + while ((match = charsRegex.exec(val))) { |
| 158 | + escapedVal += val.slice(chunkIndex, match.index) + charsMap[match[0]]; |
| 159 | + chunkIndex = charsRegex.lastIndex; |
| 160 | + } |
| 161 | + |
| 162 | + if (chunkIndex === 0) { |
| 163 | + // Nothing was escaped |
| 164 | + return "'" + val + "'"; |
| 165 | + } |
| 166 | + |
| 167 | + if (chunkIndex < val.length) { |
| 168 | + return "'" + escapedVal + val.slice(chunkIndex) + "'"; |
| 169 | + } |
| 170 | + |
| 171 | + return "'" + escapedVal + "'"; |
| 172 | +} |
| 173 | + |
159 | 174 | function zeroPad(number, length) { |
160 | 175 | number = number.toString(); |
161 | 176 | while (number.length < length) { |
|
0 commit comments