Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

parameterization is not working correctly for FROM queries

See original GitHub issue

If I use the FROM syntax during an UPDATE statement, it seems that the parameterize of this library always assumes “text” event when it shouldn’t be. I have written a fully working example here: https://gist.github.com/nhumrich/d330d167b4650f32cc33cfcb992123c0

If you run a basic query where bar is a DOUBLE PRECISION column, everything works. But if you use this syntax instead, it says its text for some reason:

'UPDATE foo d SET bar=v.bar FROM (values ($1, $2)) as v(id,bar) WHERE d.id=v.id', ['abc', 4]

You get the following error form postgres:

error: column “bar” is of type double precision but expression is of type text

If I dont use parameters, and instead use the exact values in the query, it works perfectly, as expected. You can see this example in the gist. Obviously, “not using parameters” is not a workaround, because of sql injection.

Issue Analytics

State:
Created 3 years ago
Reactions:4
Comments:9 (2 by maintainers)

Top GitHub Comments

1reaction

nhumrichcommented, Apr 10, 2020

PostgreSQL is what assumes text when nothing is giving it better information.

Thats fair. I did try other libraries in other languages though, like sqlalchemy (python, which has the same mapping problem as javascript), and none of them have this problem. I will look into this though.

0reactions

shaneosullivancommented, Dec 23, 2022

I see the same issue but for UPDATE queries that use the CASE/WHEN syntax like

UPDATE test_repro
    SET
      num = (
        CASE
          WHEN id = $1 then $2
        END
      )
    WHERE id in ($3)
;

See the full script at https://gist.github.com/shaneosullivan/555419454e536823d6f56fbc04612096

Top Results From Across the Web

Query Store and Parameterization Problems - Simple Talk

Identifying the Queries with Parameterization Problems · First, change the parameterization configuration and clear the database procedure cache: ...

Forced Parameterization Doesn't Work on Partially ...

Over and over again, I run into applications that don't parameterize their queries, and as a result: Compilations/sec is nearly as high as ......

Parameterized Queries not working - Stack Overflow

You are not using the parameters in the query. I would expect to see @searchPhrase , etc. in the query string itself. However,...

4.0 Query Parameterization - Microsoft Community Hub

However if the query processor can generate a better plan with the literal values, then this parameterization is considered 'unsafe'. The query ...

What Happens When You Don't Parameterize SQL Server ...

Aside from the obvious perils of SQL Injection, parameterizing queries can be helpful in other ways. Not to downplay SQL Injection at all,...

Troubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.

Start Free

Top Related Reddit Thread

No results found

Top Related Tweet

No results found

Top Related Dev.to Post

No results found

parameterization is not working correctly for FROM queries

Issue Analytics

Top GitHub Comments

Top Results From Across the Web

Top Related Medium Post

Top Related StackOverflow Question

Troubleshoot Live Code

Top Related Reddit Thread

Top Related Hackernoon Post

Top Related Tweet

Top Related Dev.to Post

Top Related Hashnode Post

Node 14.0.0 - pg does not response

v8.0.0 changelog?