Comments (6)
phughk
commented on May 15, 2024
This is a duplicate of #2641
Closing this one, but thank you for raising.
from surrealdb.
GauramMajmudar
commented on May 15, 2024
Hi @phughk,
Thank you for notifying.
Since this will be fixed in lq v2, I tested a work-around solution to pass params to live query. Instead of passing params as an argument in the SDK Query(), I am creating a static query string by embedding values using string formatters. I directly pass the query string in Query() and keep the param argument nil. The golang snippet is as follows;
ids := ['clients:client_0']
sql := fmt.Sprintf("live select * from clients where id in %v", ids)
db.Query(sql, nil)
Alternatively, query builders can also be used. This returns a valid live query response and the notifications are received as expected.
Would this workaround solution be safe and usable for now as an alternative to live query params?
from surrealdb.
phughk
commented on May 15, 2024
Hey @GauramMajmudar - this will definitely solve the issue atm. The problem is that is prone to "SQL injection". If your string comes from user input (in any way), then it could be modified
let name = input("Whats your name? : ")
sql = fmt.Sprintf("live select * from clients where id == %v", ids)
If I enter the name ""; DELETE TABLE clients then I could do something really mallicious.
I think it may be a viable workaround at the moment, but please know this is very unsafe. Query builders use the params feature as well, to avoid injection.
from surrealdb.
GauramMajmudar
commented on May 15, 2024
Hey @phughk
Thank you for the clarification. We are using query builders to avoid injection issues.
Is there any timeline for the live query version 2 (nightly or beta)?
from surrealdb.
ahmedali5530
commented on May 15, 2024
Parameters also not working when working with string functions inside where conditions. For example
this query
SELECT * FROM menu_item WHERE string::startsWith($column, $value) LIMIT 10 FETCH categories
$column: "name",
$value: "biryani"
is giving following error
Incorrect arguments for function string::lowercase(). Argument 1 was the wrong type. Expected a string but found NONE
But when i put real values instead of parameters it works just fine.
from surrealdb.
phughk
commented on May 15, 2024
@GauramMajmudar this may already be solved now with #3946
@ahmedali5530 This is actually a different bug, so would encourage opening a separate ticket. It's enough that you put the same message in as that seems to be sufficient. Thank you!
from surrealdb.
Related Issues (20)
- Bug: Table Permissions Doesn't Seem To Be Working With Embedded Select Statement HOT 3
- Bug: Flutter app with embedded Rust failing to compile as a result of SurrealDB dependency usage HOT 1
- Bug: Deadlock encountered HOT 3
- Bug: Index not used when comparing with "==" HOT 1
- Bug: Db(Unreachable("This feature won't go live with sql1, so delete this branching")) HOT 2
- Bug: Vector NN search count does not respect WHERE clause HOT 2
- Feature: Query builder like syntax
- Bug: Paginating data (START / OFFSET) gets exponential slower with bigger datasets (from 380ms to 468970ms) HOT 1
- Bug: Cannot insert/create a data that contains a large vector size HOT 8
- Feature: Automatically create/update records of child based on definition in parent or id in child
- Parameters do not work in string functions HOT 5
- Feature: Omit in fetch
- Feature: Live Query WHERE clause should process Params HOT 4
- Bug: Delr is displayed in trace logs of releases HOT 1
- Bug: I upgraded my server surreal version and lost all my data HOT 6
- Bug: OPTION IMPORT causes bugs with FTS indexes
- Bug: subquery runs create twice
- Feature: Embedded replicas
- Bug: TIMEOUT not respected inside RETURN statement
- Bug: Rust fails to build surrealdb HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from surrealdb.