fix: do not concatenate an array if passed to escapeLiteral. (#3489)

brianc · web-flow · commit 8608fb84c846 · 2025-06-14T16:36:32.000-05:00
diff --git a/packages/pg/lib/utils.js b/packages/pg/lib/utils.js
@@ -176,6 +176,14 @@ const escapeLiteral = function (str) {
   let hasBackslash = false
   let escaped = "'"
 
+  if (str == null) {
+    return "''"
+  }
+
+  if (typeof str !== 'string') {
+    return "''"
+  }
+
   for (let i = 0; i < str.length; i++) {
     const c = str[i]
     if (c === "'") {
diff --git a/packages/pg/test/unit/utils-tests.js b/packages/pg/test/unit/utils-tests.js
@@ -232,35 +232,46 @@ test('prepareValue: can safely be used to map an array of values including those
 })
 
 const testEscapeLiteral = function (testName, input, expected) {
-  test(testName, function () {
+  test(`escapeLiteral: ${testName}`, function () {
     const actual = utils.escapeLiteral(input)
     assert.equal(expected, actual)
   })
 }
-testEscapeLiteral('escapeLiteral: no special characters', 'hello world', "'hello world'")
 
-testEscapeLiteral('escapeLiteral: contains double quotes only', 'hello " world', "'hello \" world'")
+testEscapeLiteral('no special characters', 'hello world', "'hello world'")
 
-testEscapeLiteral('escapeLiteral: contains single quotes only', "hello ' world", "'hello '' world'")
+testEscapeLiteral('contains double quotes only', 'hello " world', "'hello \" world'")
 
-testEscapeLiteral('escapeLiteral: contains backslashes only', 'hello \\ world', " E'hello \\\\ world'")
+testEscapeLiteral('contains single quotes only', "hello ' world", "'hello '' world'")
 
-testEscapeLiteral('escapeLiteral: contains single quotes and double quotes', 'hello \' " world', "'hello '' \" world'")
+testEscapeLiteral('contains backslashes only', 'hello \\ world', " E'hello \\\\ world'")
 
-testEscapeLiteral(
-  'escapeLiteral: contains double quotes and backslashes',
-  'hello \\ " world',
-  " E'hello \\\\ \" world'"
-)
+testEscapeLiteral('contains single quotes and double quotes', 'hello \' " world', "'hello '' \" world'")
 
-testEscapeLiteral(
-  'escapeLiteral: contains single quotes and backslashes',
-  "hello \\ ' world",
-  " E'hello \\\\ '' world'"
-)
+testEscapeLiteral('date', new Date(), "''")
+
+testEscapeLiteral('null', null, "''")
+
+testEscapeLiteral('undefined', undefined, "''")
+
+testEscapeLiteral('boolean', false, "''")
+
+testEscapeLiteral('number', 1, "''")
+
+testEscapeLiteral('number', 1, "''")
+
+testEscapeLiteral('boolean', true, "''")
+
+testEscapeLiteral('array', [1, 2, 3], "''")
+
+testEscapeLiteral('object', { x: 42 }, "''")
+
+testEscapeLiteral('contains double quotes and backslashes', 'hello \\ " world', " E'hello \\\\ \" world'")
+
+testEscapeLiteral('contains single quotes and backslashes', "hello \\ ' world", " E'hello \\\\ '' world'")
 
 testEscapeLiteral(
-  'escapeLiteral: contains single quotes, double quotes, and backslashes',
+  'contains single quotes, double quotes, and backslashes',
   'hello \\ \' " world',
   " E'hello \\\\ '' \" world'"
 )
