Fix for #5153 - doing it at the mysql level as it seems to be affected by incorrect types in a way that other SQL databases aren't - limits the possible damage this can do.
This commit is contained in:
parent
80a99b549f
commit
5dcbef58a8
|
@ -181,11 +181,7 @@ export interface QueryJson {
|
|||
|
||||
export interface SqlQuery {
|
||||
sql: string
|
||||
bindings?:
|
||||
| string[]
|
||||
| {
|
||||
[key: string]: any
|
||||
}
|
||||
bindings?: string[]
|
||||
}
|
||||
|
||||
export interface QueryOptions {
|
||||
|
|
|
@ -80,6 +80,20 @@ module MySQLModule {
|
|||
},
|
||||
}
|
||||
|
||||
function bindingTypeCoerce(bindings: any[]) {
|
||||
for (let i = 0; i < bindings.length; i++) {
|
||||
const binding = bindings[i]
|
||||
if (typeof binding !== "string") {
|
||||
continue
|
||||
}
|
||||
const matches = binding.match(/^\d*/g)
|
||||
if (matches && matches[0] !== "" && !isNaN(Number(matches[0]))) {
|
||||
bindings[i] = parseFloat(binding)
|
||||
}
|
||||
}
|
||||
return bindings
|
||||
}
|
||||
|
||||
class MySQLIntegration extends Sql implements DatasourcePlus {
|
||||
private config: MySQLConfig
|
||||
private client: any
|
||||
|
@ -122,7 +136,7 @@ module MySQLModule {
|
|||
// Node MySQL is callback based, so we must wrap our call in a promise
|
||||
const response = await this.client.query(
|
||||
query.sql,
|
||||
query.bindings || []
|
||||
bindingTypeCoerce(query.bindings || [])
|
||||
)
|
||||
return response[0]
|
||||
} finally {
|
||||
|
|
Loading…
Reference in New Issue