Skip to content

template literal style ambiguity #186

New issue
New issue
Open
Open
template literal style ambiguity#186
Assignees
danielebriggi
Labels
bugSomething isn't working
@danielebriggi

Description

@danielebriggi
danielebriggi
opened on Jan 2, 2025

When using the template-literal-style:

const result = await connection.sql`
    SELECT * FROM artists
    WHERE name LIKE "%${filter}%"
    LIMIT ${limit}
`;

there is ambiguity about the expectation. In this case 3, I'd expect the query to work but the prepared statement requires the entire string %myvalue% as value.
In the case above, the query is converted into

SELECT * FROM artists
WHERE name LIKE "%?%"
LIMIT ?

with parameters ["myvalue", 10].
SQLite instead requires parameters to be ["%myvalue%, 10].

This template literal syntax should be deprecated.
The correct syntax to properly escape parameters without ambiguity is (case 5 below):

const result = await connection.sql(`
    SELECT * FROM artists
    WHERE name LIKE ?
    LIMIT ?
`, `%${filter}%`, 10);

Tested cases

Case 1 ✅

⚠️ parameters are not escaped

const result = await connection.sql(`
    SELECT * FROM artists
    WHERE name LIKE "%${filter}%"
    LIMIT ${limit}
`);

Case 2 ✅

filter = `%${filter}%`
const result = await connection.sql`
    SELECT * FROM artists
    WHERE name LIKE ${filter}
    LIMIT ${limit}
`;

Case 3 ❌

const result = await connection.sql`
    SELECT * FROM artists
    WHERE name LIKE "%${filter}%"
    LIMIT ${limit}
`;

Case 4 ✅

const result = await connection.sql(`
    SELECT * FROM artists
    WHERE name LIKE ?
    LIMIT ${limit}
`, `%${filter}%`);

Metadata

Metadata

Assignees

Labels

bugSomething isn't working

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions