Fix: Where clauses with named arguments may cause generation of unintended queries (#4937)

emregullu · web-flow · commit 2c3fc2db28dc · 2021-12-21T19:50:00.000+08:00
diff --git a/clause/where.go b/clause/where.go
@@ -60,6 +60,9 @@ func buildExprs(exprs []Expression, builder Builder, joinCond string) {
 			case Expr:
 				sql := strings.ToLower(v.SQL)
 				wrapInParentheses = strings.Contains(sql, "and") || strings.Contains(sql, "or")
+			case NamedExpr:
+				sql := strings.ToLower(v.SQL)
+				wrapInParentheses = strings.Contains(sql, "and") || strings.Contains(sql, "or")
 			}
 		}
 
diff --git a/tests/named_argument_test.go b/tests/named_argument_test.go
@@ -2,6 +2,7 @@ package tests_test
 
 import (
 	"database/sql"
+	"errors"
 	"testing"
 
 	"gorm.io/gorm"
@@ -66,4 +67,16 @@ func TestNamedArg(t *testing.T) {
 	}
 
 	AssertEqual(t, result6, namedUser)
+
+	var result7 NamedUser
+	if err := DB.Where("name1 = @name OR name2 = @name", sql.Named("name", "jinzhu-new")).Where("name3 = 'jinzhu-new3'").First(&result7).Error; err == nil || !errors.Is(err, gorm.ErrRecordNotFound) {
+		t.Errorf("should return record not found error, but got %v", err)
+	}
+
+	DB.Delete(&namedUser)
+
+	var result8 NamedUser
+	if err := DB.Where("name1 = @name OR name2 = @name", map[string]interface{}{"name": "jinzhu-new"}).First(&result8).Error; err == nil || !errors.Is(err, gorm.ErrRecordNotFound) {
+		t.Errorf("should return record not found error, but got %v", err)
+	}
 }

Original file line number	Diff line number	Diff line change
`@@ -60,6 +60,9 @@ func buildExprs(exprs []Expression, builder Builder, joinCond string) {`
`60`	`60`	`case Expr:`
`61`	`61`	`sql := strings.ToLower(v.SQL)`
`62`	`62`	`wrapInParentheses = strings.Contains(sql, "and") \|\| strings.Contains(sql, "or")`
	`63`	`+ case NamedExpr:`
	`64`	`+ sql := strings.ToLower(v.SQL)`
	`65`	`+ wrapInParentheses = strings.Contains(sql, "and") \|\| strings.Contains(sql, "or")`
`63`	`66`	`}`
`64`	`67`	`}`
`65`	`68`