Fix incorrectly replacing non-placeholders in SQL

dougwilson · dougwilson · commit 485caf63c8f2 · 2018-02-24T18:17:58.000-05:00
fixes #31
diff --git a/HISTORY.md b/HISTORY.md
@@ -1,3 +1,8 @@
+unreleased
+==========
+
+  * Fix incorrectly replacing non-placeholders in SQL
+
 2.3.0 / 2017-10-01
 ==================
 
diff --git a/lib/SqlString.js b/lib/SqlString.js
@@ -83,13 +83,19 @@ SqlString.format = function format(sql, values, stringifyObjects, timeZone) {
   }
 
   var chunkIndex        = 0;
-  var placeholdersRegex = /\?\??/g;
+  var placeholdersRegex = /\?+/g;
   var result            = '';
   var valuesIndex       = 0;
   var match;
 
   while (valuesIndex < values.length && (match = placeholdersRegex.exec(sql))) {
-    var value = match[0] === '??'
+    var len = match[0].length;
+
+    if (len > 2) {
+      continue;
+    }
+
+    var value = len === 2
       ? SqlString.escapeId(values[valuesIndex])
       : SqlString.escape(values[valuesIndex], stringifyObjects, timeZone);
 
diff --git a/test/unit/test-SqlString.js b/test/unit/test-SqlString.js
@@ -257,6 +257,11 @@ test('SqlString.format', {
     assert.equal(sql, 'SELECT * FROM `table` WHERE id = 42');
   },
 
+  'triple question marks are ignored': function () {
+    var sql = SqlString.format('? or ??? and ?', ['foo', 'bar', 'fizz', 'buzz']);
+    assert.equal(sql, "'foo' or ??? and 'bar'");
+  },
+
   'extra question marks are left untouched': function() {
     var sql = SqlString.format('? and ?', ['a']);
     assert.equal(sql, "'a' and ?");
