Escape single quotation mark and backslash when quoting string (#29)

* Escape single quotation mark and backslash when quoting string * Increment patch version to 0.11.4 --------- Co-authored-by: Jeff Luckett <jeff@jeffluckett.com>
Beyond-Finance · Apr 10, 2023 · e971ea0 · e971ea0
1 parent 55c9e10
commit e971ea0
Show file tree

Hide file tree

Showing 3 changed files with 6 additions and 6 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -3,9 +3,10 @@
 ## Not released
 
 ## 0.11.4
-
+* Properly escape single quote (https://github.com/Beyond-Finance/active_force/pull/29)
 * Fix `Time` value formatting in `.where` (https://github.com/Beyond-Finance/active_force/pull/28)
 
+
 ## 0.11.3
 
 * Fix has_one assignment when receiver does not have id (https://github.com/Beyond-Finance/active_force/pull/23)

diff --git a/lib/active_force/active_query.rb b/lib/active_force/active_query.rb
@@ -162,7 +162,7 @@ def eq_predicate(attribute, value)
     def enclose_value value
       case value
       when String
-        "'#{quote_string(value)}'"
+        quote_string(value)
       when NilClass
         'NULL'
       when Time
@@ -173,8 +173,7 @@ def enclose_value value
     end
 
     def quote_string(s)
-      # From activerecord/lib/active_record/connection_adapters/abstract/quoting.rb, version 4.1.5, line 82
-      s.gsub(/\\/, '\&\&').gsub(/'/, "''")
+      "'#{s.gsub(/(['\\])/, '\\\\\\1')}'"
     end
 
     def result

diff --git a/spec/active_force/active_query_spec.rb b/spec/active_force/active_query_spec.rb
@@ -250,7 +250,7 @@
     let(:quote_input){ "' OR Id!=NULL OR Id='" }
     let(:backslash_input){ "\\" }
     let(:number_input){ 123 }
-    let(:expected_query){ "SELECT Id FROM table_name WHERE (Backslash_Field__c = '\\\\' AND NumberField = 123 AND QuoteField = ''' OR Id!=NULL OR Id=''')" }
+    let(:expected_query){ "SELECT Id FROM table_name WHERE (Backslash_Field__c = '\\\\' AND NumberField = 123 AND QuoteField = '\\' OR Id!=NULL OR Id=\\'')" }
 
     it 'escapes quotes and backslashes in bind parameters' do
       active_query.where('Backslash_Field__c = :backslash_field AND NumberField = :number_field AND QuoteField = :quote_field', number_field: number_input, backslash_field: backslash_input, quote_field: quote_input)
@@ -264,7 +264,7 @@
 
     it 'escapes quotes and backslashes in hash conditions' do
       active_query.where(backslash_field: backslash_input, number_field: number_input, quote_field: quote_input)
-      expect(active_query.to_s).to eq("SELECT Id FROM table_name WHERE (Backslash_Field__c = '\\\\') AND (NumberField = 123) AND (QuoteField = ''' OR Id!=NULL OR Id=''')")
+      expect(active_query.to_s).to eq("SELECT Id FROM table_name WHERE (Backslash_Field__c = '\\\\') AND (NumberField = 123) AND (QuoteField = '\\' OR Id!=NULL OR Id=\\'')")
     end
   end