timwis · timwis · Feb 16, 2017 · Feb 15, 2017 · Feb 16, 2017 · Feb 16, 2017
diff --git a/index.js b/index.js
@@ -4,17 +4,6 @@ var qs = require('querystring'),
 // Converts AST to SQL
 exports.stringify = require('./stringify');
 
-// Return quote-wrapped value for non numbers
-var typedValue = function(val) {
-  var lowerCaseVal = val.toLowerCase()
-  try {
-    JSON.parse(lowerCaseVal)
-    return lowerCaseVal
-  } catch(e) {
-    return '"' + val + '"'
-  }
-}
-
 // Converts SQL to AST
 exports.parse = function(params) {
   // If a string was passed, parse the querystring into an object
@@ -26,7 +15,7 @@ exports.parse = function(params) {
   var where = [];
   if(params.$where) where.push(params.$where);
   for(key in params) {
-    if(key.charAt(0) !== '$') where.push(key + ' = ' + typedValue(params[key]));
+    if(key.charAt(0) !== '$') where.push(whereEqual(key, params[key]));
   }
   params.$where = where.join(' AND ');
 
@@ -43,3 +32,9 @@ exports.parse = function(params) {
 
   return sqlparser.parse(sql);
 };
+
+function whereEqual (key, value) {
+  var sanitizedValue = value.replace(/^['"]|['"]$/g, '') // remove surrounding quotes
+                            .replace(/\'/g, "\\'") // escape inner quotes
+  return key + " = '" + sanitizedValue + "'";
+}
diff --git a/stringify.js b/stringify.js
@@ -1,14 +1,15 @@
 
 var escapeMap = {
   '\0'  : '\\0',
-  '\''  : '\\\'',
+  // '\''  : '\\\'',
   '\"'   : '\\\"',
   '\b'  : '\\b',
   '\n'  : '\\n',
   '\r'  : '\\r',
   '\t'  : '\\t',
   '\x1a': '\\Z',        /**<    EOF */
   '\\'  : '\\\\',
+  "\'"  : "''"
 //  '%'   : '\\%',
 //  '_'  :  '\_'
 };

diff --git a/test/soda/stringify.js b/test/soda/stringify.js
@@ -18,4 +18,11 @@ describe('stringify test', function() {
     sql.should.eql('SELECT foo LIMIT 5 OFFSET 10')
   });
 
+  it('named filter can contain a quote within', function() {
+    var ast = Parser.parse("foo=Philadelphia's district")
+    var sql = stringify.parse(ast)
+
+    sql.should.eql("SELECT * WHERE foo = 'Philadelphia''s district'")
+  })
+
 });
diff --git a/test/soda/where.js b/test/soda/where.js
@@ -7,17 +7,23 @@ function inspect(obj) {
 
 describe('where test',function(){
 
-  it('named filter sets types', function() {
+  it('named filter sets all types to strings', function() {
     var ast = Parser.parse('foo=1&baz=quz')
     //inspect(ast)
 
     ast.where.left.left.column.should.eql('foo')
-    ast.where.left.right.value.should.eql(1)
+    ast.where.left.right.value.should.eql('1')
 
     ast.where.right.left.column.should.eql('baz')
     ast.where.right.right.value.should.eql('quz')
   })
 
+  it('named filter can be quoted', function() {
+    var ast = Parser.parse("foo='1'")
+
+    ast.where.right.value.should.eql('1')
+  })
+
   it('filter', function() {
     var ast = Parser.parse('$select=foo, bar&foo=1&$where=bar = 2')
     //inspect(ast)