Comments (6)
Sounds like perhaps you are not passing parameters correctly. Please include a reproducible code example here.
UPDATE
The issue you linked to is different, about Buffer
escaping, while you are talking about CSV filter logic. That filter was never meant to be used for type Buffer
, because that wouldn't make much sense. If your Buffer contains a password, just remove CSV filter, and the value will be escaped correctly.
from pg-promise.
You are partially correct, I was doing Buffer.from("abc").toString() with the $2:csv filter which has caused issues. If I do just Buffer.from("abc") this appears to be working. But the unicode null \u0000 definitely breaks the code and also I can't see any unicode string encapsulation when query is created (ie no E'abc').
Here is a code that will fail:
var obj = {
id: crypto.randomUUID(), // ignore this - I need some fields for referential integrity/constratints
org_id: id_org, // ignore
password: Buffer.from("test"), // ignore
salt: Buffer.from("salt"), // ignore
firstName: "Peter", // ignore
lastName: '\uD83D\uDC04\u0000', // <- this fails
email: '[email protected]' // ignore
}
const q = sql('generic/create.sql'); // INSERT INTO $1:alias($2:name) VALUES($2:csv) RETURNING *
const insertResult = await db.one(q, ['users', obj]);
console.log(JSON.stringify(insertResult));
With the above code I get error code is 08P01 on the lastName field.
If I change \u0000 to something else, e.g. \u0001 this works. However, when inspecting the text of the compiled query - there is no escaping for unicode characters or marking the string as unicode, e.g.E'\uD83D\uDC04\u0000' - I am not sure if this would improve things or not though but could be a prudent thing to do. I read on the interweb that for \u0000 to be passed to Postgress one needs more escaping so perhaps it's a special case that should be treated as such?
Here is the full error stack
invalid message format
INSERT INTO users("id","org_id","password","salt","firstName","lastName","email") VALUES('aa03c249-e82b-4e24-a759-29771d6e10d9','8e9ee4b1-65a1-464e-9d63-c67c29953fda','\x74657374','\x73616c74','Peter','🐄','[email protected]') RETURNING *
error: invalid message format
at Parser.parseErrorMessage (C:\Users\m\source\repos\id\node_modules\pg-protocol\src\parser.ts:369:69)
at Parser.handlePacket (C:\Users\m\source\repos\id\node_modules\pg-protocol\src\parser.ts:188:21)
at Parser.parse (C:\Users\m\source\repos\id\node_modules\pg-protocol\src\parser.ts:103:30)
at Socket.<anonymous> (C:\Users\m\source\repos\id\node_modules\pg-protocol\src\index.ts:7:48)
at Socket.emit (C:\Users\m\source\repos\id\lib\events.js:517:28)
at Socket.emit (C:\Users\m\source\repos\id\lib\domain.js:489:12)
at addChunk (C:\Users\m\source\repos\id\lib\internal\streams\readable.js:335:12)
at readableAddChunk (C:\Users\m\source\repos\id\lib\internal\streams\readable.js:308:9)
at Socket.Readable.push (C:\Users\m\source\repos\id\lib\internal\streams\readable.js:245:10)
at TCP.onStreamRead (node:internal/stream_base_commons:190:23) {length: 143, name: 'error', severity: 'ERROR', code: '08P01', detail: undefined, …}
from pg-promise.
You can provide your own solution/work-around to the issue, via Custom Type Formatting, by escaping it as you want.
from pg-promise.
Thanks for the tip, I did consider CTFs (and use them for more complex types).
I was hoping that this issue would be recognized as a bug/issue and a patch would go into the pg-promise. The \u0000 in a string is a valid string (albeit an edge case) for javascript so, ideally, I shouldn't have to create a workaround for the pg-promise, it should 'just work'.
from pg-promise.
The original issue was never resolved, and I do not see what solution, if any, is possible inside this library. Most likely, this needs to be addressed inside the base driver, and not here.
from pg-promise.
I am closing it, because I'm not planning to do any fixes on this end, it is down to the base driver, as per the old linked issue.
from pg-promise.
Related Issues (20)
- How safe is helpers concat against SQL injections HOT 1
- pg return error HOT 6
- Using Promise.all inside tx() causes inconsistent data state HOT 7
- How can I explain my transaction ? HOT 1
- How can I delete a set of values ? HOT 1
- BUG - JSON and JSONB cast on update helper HOT 3
- json formatting issue on update HOT 5
- High Vulnerability Security Issue HOT 1
- How to connect to serverless redshift using IAM permissions HOT 2
- Cannot read properties of undefined (reading 'split') HOT 1
- how to use tsrange in colum helpers set ? HOT 1
- pgp.as.format adds additional parenthesis around variable HOT 1
- Vulnerabilty: Sql injection when using columnset. HOT 10
- ESLint v9.0.0 upgrade HOT 1
- Issue with Postgres Version 16 HOT 3
- pgp.helpers.insert: table should accept fully qualified name as a string HOT 6
- Using pg-promise in a project with pg HOT 1
- Adjust Margin for Sidebar and Content Area in Documentation Site HOT 3
- The upgrade to 11.9 broke my app in ways I can't quite understand. HOT 9
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from pg-promise.