Comments (6)
It doesn't look like any escape character is valid other than quotes. This makes it impossible to send valid JSON
For example, posting the following request body returns an error:
{
"poster": "user:k29aio2dilsyqvd6scpg",
"title": "Hello quotes",
"body": "do \" work?\nDo newlines?"
}
{
"code": 400,
"details": "Request problems detected",
"description": "There is a problem with your request. Refer to the documentation for further information.",
"information": "The request body contains invalid data"
}
Meanwhile, deliberately posting invalid JSON "works":
{
"poster": "user:k29aio2dilsyqvd6scpg",
"title": "Hello quotes",
"body": "do \" work?
Do newlines?"
}
[
{
"time": "72.864µs",
"status": "OK",
"result": [
{
"body": "do \" work?\nDo newlines?",
"id": "post:2phtv4rag4k5jf51yths",
"poster": "user:k29aio2dilsyqvd6scpg",
"title": "Hello quotes"
}
]
}
]
from surrealdb.
This occurs in both surrealdb.deno and surrealdb.js
from surrealdb.
Hi @finnbear , technically that's escaping the second "
no? So the string doesn't ever complete.
The following queries do work however.
SELECT * FROM '\'';
SELECT * FROM "\"";
However, if there is an attempt to escape a character in a string, and the string is not defined with that character, then it will fail.
So strings defined using '
marks will allow \'
escaping, and strings defined using "
marks will allow \"
escaping.
@finnbear, @rushmorem the issue with allowing non-UTF-8 characters in strings, comes when we serialise these strings as a database key (either as a record id, or as a value in an index).
When serialising we end the string with a 0
u8
, and when deserialising, we look for a '\u{0}'
char...
https://github.com/surrealdb/storekey/blob/626e02f5940503a68bb665e730a80086d111effe/src/encode.rs#L418-L422
https://github.com/surrealdb/storekey/blob/626e02f5940503a68bb665e730a80086d111effe/src/decode.rs#L241-L265
Therefore if we allowed these characters in a string, we would have problems. This issue definitely needs more thought!
from surrealdb.
I think the test case can be reduced to
> select * from "\";
{"code":400,"details":"Request problems detected","description":"There is a problem with your request. Refer to the documentation for further information.","information":"There was a problem with the database: Parse error on line 1 at character 0 when parsing 'select * from \"\\\";'"}
Not sure what's going on, but seems like SurrealDB doesn't like \
in the query string.
from surrealdb.
Hi @finnbear , technically that's escaping the second
"
no? So the string doesn't ever complete.
You might be right.
However, the following (which, by your logic, should escape to a literal \
, right?) also fails to parse.
> select * from "\\"
{"code":400,"details":"Request problems detected","description":"There is a problem with your request. Refer to the documentation for further information.","information":"There was a problem with the database: Parse error on line 1 at character 0 when parsing 'select * from \"\\\\\"'"}
from surrealdb.
That falls under this part...
So strings defined using
'
marks will allow\'
escaping, and strings defined using"
marks will allow\"
escaping.
That's a good point, you currently can't put a \
character in a string. This logic happens here...
surrealdb/lib/src/sql/strand.rs
Lines 90 to 102 in 04831b1
from surrealdb.
Related Issues (20)
- Feature: Adding a custom validation error message when defining fields with assert.
- Bug: Critical Bug returning incorrect values from query HOT 2
- Feature: Add function that allows to sanitize HTML
- Bug: Panic while running an event HOT 1
- Bug: View returns empty if defined via CLI import
- Bug: strings need sanitizing in rust client
- Bug: JWKS Authentication with Microsoft HOT 1
- Bug: Can't parse table name that starts with "function" in CREATE statement
- Bug: JWKS Tokeninfromation lost on restart HOT 1
- Bug: Numbers from script functions in indexed document fields break indexing HOT 1
- Bug: Build fails: error: `sql2` is currently unstable. You need to enable the `surrealdb_unstable` flag to use it. HOT 2
- Bug: Cannot perform division with '0' and '0'
- Incorrect cli behaviour with flaky websocket
- Bug: btree.rs index out of bounds HOT 1
- Bug: using the `RELATE`-statement on an edge that already exists, discards without error HOT 1
- Bug: create statement set parallel keyword ast incorrect
- Bug: Wrong `content-type` response on `/rpc` endpoint
- Bug: Server panic when trying to remove namespace
- Bug: InvalidQuery RenderedError for "REMOVE NAMESPACE IF EXISTS surrealdb" HOT 1
- Bug: High idle cpu usage and log flooded with "Delr page was empty" messages since 1.4.0 HOT 6
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from surrealdb.