From 70f2065a362012263e76982151d2604d9c555d35 Mon Sep 17 00:00:00 2001
From: calzoneman <calzoneman@gmail.com>
Date: Mon, 3 Jun 2013 18:37:30 -0400
Subject: [PATCH] Improve SQL escaping

---
 database.js | 41 +++++++++++++++++++++++++++++++----------
 1 file changed, 31 insertions(+), 10 deletions(-)

diff --git a/database.js b/database.js
index 96193d3e..e3f53392 100644
--- a/database.js
+++ b/database.js
@@ -40,23 +40,44 @@ function getConnection() {
     return db;
 }
 
+function sqlEscape(obj) {
+    if(obj === undefined || obj === null)
+        return "NULL";
+
+    if(typeof obj === "boolean")
+        return obj ? "true" : "false";
+
+    if(typeof obj === "number")
+        return obj + "";
+
+    if(typeof obj === "object")
+        return "'object'";
+
+    if(typeof obj === "string") {
+        obj = obj.replace(/[\0\n\r\b\t\\\'\"\x1a]/g, function(s) {
+            switch(s) {
+                case "\0": return "\\0";
+                case "\n": return "\\n";
+                case "\r": return "\\r";
+                case "\b": return "\\b";
+                case "\t": return "\\t";
+                case "\x1a": return "\\Z";
+                default: return "\\" + s;
+            }
+        });
+        return "'" + obj + "'";
+    }
+}
+
 function createQuery(template, args) {
     var last = -1;
     while(template.indexOf("?", last) >= 0) {
         var idx = template.indexOf("?", last);
         var arg = args.shift();
-        if(typeof arg == "string") {
-            arg = arg.replace(/([\'])/g, "\\$1");
-            if(idx == 0 || template[idx-1] != "`") {
-                arg = "'" + arg + "'";
-            }
-        }
-        if(arg === null || arg === undefined) {
-            arg = "NULL";
-        }
+        arg = sqlEscape(arg);
         var first = template.substring(0, idx);
         template = first + template.substring(idx).replace("?", arg);
-        last = idx + (arg+"").length;
+        last = idx + arg.length;
     }
     return template;
 }