question-mark
Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Raw queries do not handle identifier bindings correctly

See original GitHub issue

If we attempt to use knex.raw to write the following type of query:

> select 'val' as "name?"
 name?
---------
 val
(1 row)

by writing the following…

knex.raw('select ? as ??', ['val', 'name?'])
    .catch(e => console.error(e))

we get this error:

{ error: 'select * from (select $1 as "name$2") as t - 
     could not determine data type of parameter $1' }

[edited]

Issue Analytics

  • State:closed
  • Created 6 years ago
  • Comments:10 (6 by maintainers)

github_iconTop GitHub Comments

1reaction
elhigucommented, Jun 13, 2019

Dont use periods or dont use ?? binding in that case. ?? bindings treats periods as special character and that is not going to change.

0reactions
elhigucommented, Jun 13, 2019

safest to avoid everything that is not a-zA-Z0-9_-. that binding should be used for 'table.column' type of references. And those should not be read from user input anyways.

Read more comments on GitHub >

github_iconTop Results From Across the Web

Raw | Knex.js
Raw query object may be injected pretty much anywhere you want, and using proper bindings can ensure your values are escaped properly, preventing...
Read more >
Does Knex.js prevent sql injection? - Stack Overflow
I read that the .raw() command from knex.js is susceptible to sql injection, if not used with bindings. But are the other commands...
Read more >
Performing raw SQL queries | Django documentation
raw () to perform raw queries and return model instances, or you can avoid the model layer entirely and execute custom SQL directly....
Read more >
Binding string of ids to DB::raw WHER IN - Laracasts
The problem is that I want to bind a string of integers to a WHERE IN select: ... here http://fideloper.com/laravel-raw-queries but that didn't...
Read more >
How to call native SQL queries with JPA & Hibernate
The persistence provider does not parse the SQL statement so that you can use any ... But the support of named parameter bindings...
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Dev.to Post

No results found

github_iconTop Related Hashnode Post

No results found