New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Parameters do not work in string functions #4014
Comments
Heya! If I understand your example correctly, you want to ensure that the column with the name of the column being contained in the LET $column = "name";
LET $value = "biryani";
SELECT * FROM menu_item WHERE string::startsWith($this[column], $value) LIMIT 10 FETCH categories |
$column and $value are dynamic, so i don't really know whats coming in them.
this is same as i am sending values directly in query. My question is why can't i use parameters inside the query. The query works when i don't use string functions. But with string functions it gives error. I have a similar issue for |
import { Surreal } from 'surrealdb.node';
const db = new Surreal();
async function main() {
await db.connect('ws://127.0.0.1:8000');
await db.signin({
username: 'root',
password: 'root',
});
await db.use({ ns: 'test', db: 'test' });
await db.create('menu_item', { name: 'Pizza' });
let res = await db.query(
'SELECT * FROM menu_item WHERE string::startsWith($this[$column], $value)',
{ column: 'name', value: 'P' }
);
console.log(res);
}
main(); i've tried around a bit, this seems to work, you where just missing the |
This resolved the issue but can you tell me why |
Sure, thats just the current execution context for that query, like https://surrealdb.com/docs/surrealdb/surrealql/parameters#parent-this Don't forget to close the issue ^^ |
Describe the bug
Parameters not working when working with string functions inside where conditions. For example
this query
is giving following error
Incorrect arguments for function string::lowercase(). Argument 1 was the wrong type. Expected a string but found NONE
But when i put real values instead of parameters it works just fine.
This is a security vulnerability as well due to risk of sql injection
Steps to reproduce
create a simple table with at least 1 field with data type string
Expected behaviour
Parameters should work in string function used in where clause
SurrealDB version
1.4.2 for linux on x86_64
Contact Details
ahmedali5530@gmail.com
Is there an existing issue for this?
Code of Conduct
The text was updated successfully, but these errors were encountered: