Add more test cases

sqlbuilder.nimble

@@ -1,6 +1,6 @@
 # Package
 
-version       = "1.0.2"
+version       = "1.0.3"
 author        = "ThomasTJdev"
 description   = "SQL builder"
 license       = "MIT"

src/sqlbuilderpkg/select.nim

@@ -96,7 +96,7 @@ proc sqlSelectConstWhere(where: varargs[string], usePrepared: NimNode): string =
           wes.add(d)
 
       # => ... = NULL
-      elif dataUpper[(v.high - 3)..v.high] == "NULL":
+      elif v.len() >= 5 and dataUpper[(v.high - 4)..v.high] == " NULL":
         wes.add(v)
 
       # => ? = ANY(...)
@@ -108,15 +108,15 @@ proc sqlSelectConstWhere(where: varargs[string], usePrepared: NimNode): string =
           wes.add("? " & v)
 
       # => ... IN (?)
-      elif dataUpper[(v.high - 2)..v.high] == " IN":
+      elif v.len() >= 3 and dataUpper[(v.high - 2)..v.high] == " IN":
         if boolVal(usePrepared):
           prepareCount += 1
           wes.add(v & " ($" & $prepareCount & ")")
         else:
           wes.add(v & " (?)")
 
       # => ? IN (...)
-      elif v.len() > 2 and dataUpper[0..1] == "IN":
+      elif v.len() > 2 and dataUpper[0..2] == "IN ":
         if boolVal(usePrepared):
           prepareCount += 1
           wes.add("$" & $prepareCount & " " & v)
@@ -525,7 +525,7 @@ proc sqlSelect*(
         wes.add(d & " NULL")
 
       # => ... = NULL
-      elif dataUpper[(d.high - 3)..d.high] == "NULL":
+      elif d.len() >= 5 and dataUpper[(d.high - 4)..d.high] == " NULL":
         wes.add(d)
 
       # => ? = ANY(...)
@@ -537,15 +537,15 @@ proc sqlSelect*(
           wes.add("? " & d)
 
       # => ... IN (?)
-      elif dataUpper[(d.high - 2)..d.high] == " IN":
+      elif d.len() >= 3 and dataUpper[(d.high - 2)..d.high] == " IN":
         if usePrepared:
           prepareCount += 1
           wes.add(d & " ($" & $prepareCount & ")")
         else:
           wes.add(d & " (?)")
 
       # => ? IN (...)
-      elif d.len() > 2 and dataUpper[0..1] == "IN":
+      elif d.len() > 2 and dataUpper[0..2] == "IN ":
         if usePrepared:
           prepareCount += 1
           wes.add("$" & $prepareCount & " " & d)

src/sqlbuilderpkg/utils_private.nim

@@ -137,8 +137,44 @@ proc hasIllegalFormats*(query: string): string =
   #
   let noSpaces = query.strip().replace(" ", "")
 
-  if "??" in noSpaces:
-    return "double insert detected. (??)"
+  const nospaceBad = [
+    "??",
+    "=?,?,",
+    "=?,AND",
+    "=?,OR",
+    "AND?,",
+    "OR?,",
+  ]
+
+  for b in nospaceBad:
+    if b in noSpaces:
+      return "wrong position of ?. (" & b & ")"
+
+
+
+  #
+  # Bad ? substittution
+  #
+  const badSubstitutions = [
+    "= ? AND ?",
+    "= ? OR ?"
+  ]
+  const badSubstitutionsAccept = [
+    " = ? AND ? ANY ",
+    " = ? AND ? IN ",
+    " = ? AND ? = "
+  ]
+  for o in badSubstitutions:
+    if o in query:
+      var pass: bool
+      for b in badSubstitutionsAccept:
+        if b in query:
+          pass = true
+          break
+      if not pass:
+        return "bad ? substitution. (= ? AND ?)"
+
+
 
 proc sqlWhere*(where: varargs[string]): string =
   ## the WHERE part of the query.

tests/legacy_convert/test_legacy.nim

@@ -254,3 +254,14 @@ suite "test sqlSelectMacro":
     check querycompare(q1, sql("SELECT name, age FROM my-table WHERE id = ?"))
 
 
+
+
+suite "test various":
+
+  test "xxx":
+
+    let q1 = sqlSelect("locker", ["name"], [""], ["project_id =", "name =", "info ="], "", "", "")
+
+    check querycompare(q1, sql("SELECT name FROM locker WHERE project_id = ? AND name = ? AND info = ?"))
+
+

tests/select/test_select.nim

@@ -541,3 +541,39 @@ suite "test where cases custom formatting":
 
 
 
+
+
+
+suite "test using DB names for columns":
+
+  test "info => in, nonull => null, anything => any":
+
+    let test = sqlSelect(
+      table     = "tasks",
+      select    = @["id", "name"],
+      where     = @["id =", "user =", "info =", "IN info", "anything =", "IN nonull"],
+    )
+    check querycompare(test, sql(" SELECT id, name FROM tasks WHERE id = ? AND user = ? AND info = ? AND ? IN info AND anything = ? AND ? IN nonull"))
+
+
+
+
+suite "catch bad formats":
+
+  test "malicious ?":
+
+    const mal = [
+      "id = ?, AND ?",
+      "id = ?, OR ?",
+      "id = ? ?",
+      "id = ? AND ?",
+      "id = ? OR ?",
+    ]
+
+    for m in mal:
+      check hasIllegalFormats(m) != ""
+
+
+
+
+