refactor: use parameterised query pattern

DaxServer · DaxServer · commit 705814db2da2 · 2025-09-28T14:15:06.000+02:00
diff --git a/backend/src/api/project/index.ts b/backend/src/api/project/index.ts
@@ -4,7 +4,6 @@ import {
   PaginationQuery,
   ProjectParams,
   ProjectResponseSchema,
-  ReplaceOperationResponseSchema,
   ReplaceOperationSchema,
   type Project,
 } from '@backend/api/project/schemas'
@@ -559,7 +558,7 @@ export const projectRoutes = new Elysia({ prefix: '/api/project' })
       const replaceService = new ReplaceOperationService(db())
 
       try {
-        const result = await replaceService.performReplace({
+        const affectedRows = await replaceService.performReplace({
           table,
           column,
           find,
@@ -568,7 +567,9 @@ export const projectRoutes = new Elysia({ prefix: '/api/project' })
           wholeWord,
         })
 
-        return result
+        return {
+          affectedRows,
+        }
       } catch (error) {
         const errorMessage = error instanceof Error ? error.message : 'Unknown error occurred'
         return status(
@@ -582,7 +583,9 @@ export const projectRoutes = new Elysia({ prefix: '/api/project' })
     {
       body: ReplaceOperationSchema,
       response: {
-        200: ReplaceOperationResponseSchema,
+        200: t.Object({
+          affectedRows: t.Number(),
+        }),
         400: ApiErrors,
         404: ApiErrors,
         422: ApiErrors,
diff --git a/backend/src/api/project/schemas.ts b/backend/src/api/project/schemas.ts
@@ -70,10 +70,3 @@ export const ReplaceOperationSchema = t.Object({
     default: false,
   }),
 })
-export type ReplaceOperationSchema = typeof ReplaceOperationSchema.static
-
-export const ReplaceOperationResponseSchema = t.Object({
-  message: t.String(),
-  affectedRows: t.Number(),
-})
-export type ReplaceOperationResponseSchema = typeof ReplaceOperationResponseSchema.static
diff --git a/backend/src/services/replace-operation.service.ts b/backend/src/services/replace-operation.service.ts
@@ -1,4 +1,4 @@
-import type { DuckDBConnection } from '@duckdb/node-api'
+import type { DuckDBConnection, DuckDBValue } from '@duckdb/node-api'
 
 export interface ReplaceOperationParams {
   table: string
@@ -9,69 +9,95 @@ export interface ReplaceOperationParams {
   wholeWord: boolean
 }
 
-export interface ReplaceOperationResult {
-  message: string
-  affectedRows: number
-}
-
 export class ReplaceOperationService {
   constructor(private db: DuckDBConnection) {}
 
   /**
    * Performs a replace operation on a column in a project table
    */
-  async performReplace(params: ReplaceOperationParams): Promise<ReplaceOperationResult> {
+  async performReplace(params: ReplaceOperationParams): Promise<number> {
     const { table, column, find, replace, caseSensitive, wholeWord } = params
 
-    // Build the REPLACE operation based on parameters
-    const replaceExpression = this.buildReplaceExpression(
+    // Count rows that will be affected before the update
+    const affectedRows = await this.countAffectedRows(table, column, find, caseSensitive, wholeWord)
+
+    // Only proceed if there are rows to update
+    if (affectedRows === 0) {
+      return 0
+    }
+
+    // Build and execute the parameterized UPDATE query
+    const { query, params: queryParams } = this.buildParameterizedUpdateQuery(
+      table,
       column,
       find,
       replace,
       caseSensitive,
       wholeWord,
     )
 
-    // Count rows that will be affected before the update
-    const affectedRows = await this.countAffectedRows(table, column, find, caseSensitive, wholeWord)
-
-    // Execute the update
-    await this.db.run(
-      `UPDATE "${table}" SET "${column}" = ${replaceExpression} WHERE "${column}" IS NOT NULL`,
-    )
+    await this.db.run(query, queryParams)
 
-    return {
-      message: `Successfully replaced '${find}' with '${replace}' in column '${column}'`,
-      affectedRows,
-    }
+    return affectedRows
   }
 
   /**
-   * Builds the appropriate replace expression based on the operation parameters
+   * Builds a parameterized UPDATE query to safely perform replace operations
    */
-  private buildReplaceExpression(
+  private buildParameterizedUpdateQuery(
+    table: string,
     column: string,
     find: string,
     replace: string,
     caseSensitive: boolean,
     wholeWord: boolean,
-  ): string {
+  ) {
+    const params: DuckDBValue[] = []
+
     if (wholeWord) {
       // For whole word replacement, use regex with word boundaries
-      const flags = caseSensitive ? 'g' : 'gi'
+      const replaceFlags = caseSensitive ? 'g' : 'gi'
+      const matchFlags = caseSensitive ? '' : 'i'
       const pattern = `\\b${this.escapeRegex(find)}\\b`
-      return `regexp_replace("${column}", '${pattern}', '${this.escapeSql(replace)}', '${flags}')`
+      params.push(pattern, replace, replaceFlags)
+
+      const query = `
+        UPDATE "${table}"
+        SET "${column}" = regexp_replace("${column}", $1, $2, $3)
+        WHERE "${column}" IS NOT NULL
+          AND regexp_matches("${column}", $1, '${matchFlags}')
+      `
+
+      return { query, params }
     }
 
     // For partial replacement, use simple replace or regex
     if (caseSensitive) {
-      return `replace("${column}", '${this.escapeSql(find)}', '${this.escapeSql(replace)}')`
+      params.push(find, replace)
+
+      const query = `
+        UPDATE "${table}"
+        SET "${column}" = replace("${column}", $1, $2)
+        WHERE "${column}" IS NOT NULL
+          AND position($1 in "${column}") > 0
+      `
+
+      return { query, params }
     }
 
     // Case-insensitive replacement using regex
-    const flags = 'gi'
+    const replaceFlags = 'gi'
     const pattern = this.escapeRegex(find)
-    return `regexp_replace("${column}", '${pattern}', '${this.escapeSql(replace)}', '${flags}')`
+    params.push(pattern, replace, replaceFlags)
+
+    const query = `
+      UPDATE "${table}"
+      SET "${column}" = regexp_replace("${column}", $1, $2, $3)
+      WHERE "${column}" IS NOT NULL
+        AND regexp_matches("${column}", $1, 'i')
+    `
+
+    return { query, params }
   }
 
   /**
@@ -84,23 +110,39 @@ export class ReplaceOperationService {
     caseSensitive: boolean,
     wholeWord: boolean,
   ): Promise<number> {
-    let countQuery: string
+    let query: string
+    const params: DuckDBValue[] = []
 
     if (wholeWord) {
       // For whole word matching, count rows where the word appears as a whole word
       const flags = caseSensitive ? '' : 'i'
       const pattern = `\\b${this.escapeRegex(find)}\\b`
-      countQuery = `SELECT COUNT(*) as count FROM "${table}" WHERE "${column}" IS NOT NULL AND regexp_matches("${column}", '${pattern}', '${flags}')`
+      params.push(pattern, flags)
+      query = `
+        SELECT COUNT(*) as count FROM "${table}"
+        WHERE "${column}" IS NOT NULL
+          AND regexp_matches("${column}", $1, $2)
+      `
     } else {
       if (caseSensitive) {
-        countQuery = `SELECT COUNT(*) as count FROM "${table}" WHERE "${column}" IS NOT NULL AND position('${this.escapeSql(find)}' in "${column}") > 0`
+        params.push(find)
+        query = `
+          SELECT COUNT(*) as count FROM "${table}"
+          WHERE "${column}" IS NOT NULL
+            AND position($1 in "${column}") > 0
+        `
       } else {
         const pattern = this.escapeRegex(find)
-        countQuery = `SELECT COUNT(*) as count FROM "${table}" WHERE "${column}" IS NOT NULL AND regexp_matches("${column}", '${pattern}', 'i')`
+        params.push(pattern)
+        query = `
+          SELECT COUNT(*) as count FROM "${table}"
+          WHERE "${column}" IS NOT NULL
+            AND regexp_matches("${column}", $1, 'i')
+        `
       }
     }
 
-    const countBeforeReader = await this.db.runAndReadAll(countQuery)
+    const countBeforeReader = await this.db.runAndReadAll(query, params)
     const countBeforeResult = countBeforeReader.getRowObjectsJson()
 
     return Number(countBeforeResult[0]?.count ?? 0)
@@ -110,13 +152,6 @@ export class ReplaceOperationService {
    * Escapes special regex characters in a string
    */
   private escapeRegex(str: string): string {
-    return str.replace(/[.*+?^${}()|[\]\\]/g, '\\$&').replace(/'/g, "''")
-  }
-
-  /**
-   * Escapes single quotes for SQL
-   */
-  private escapeSql(str: string): string {
-    return str.replace(/'/g, "''")
+    return str.replace(/[.*+?^${}()|[\]\\]/g, '\\$&')
   }
 }
diff --git a/backend/tests/api/project/project.replace.test.ts b/backend/tests/api/project/project.replace.test.ts
@@ -81,7 +81,6 @@ describe('Project API - find and replace', () => {
     expect(status).toBe(200)
     expect(error).toBeNull()
     expect(data).toEqual({
-      message: "Successfully replaced 'New York' with 'San Francisco' in column 'city'",
       affectedRows: 3,
     })
 
@@ -112,7 +111,6 @@ describe('Project API - find and replace', () => {
         replace: 'company.com',
         caseSensitive: true,
         wholeWord: false,
-        expectedMessage: "Successfully replaced 'example.com' with 'company.com' in column 'email'",
         expectedAffectedRows: 4,
       },
       {
@@ -122,20 +120,11 @@ describe('Project API - find and replace', () => {
         replace: 'company.com',
         caseSensitive: false,
         wholeWord: false,
-        expectedMessage: "Successfully replaced 'EXAMPLE.COM' with 'company.com' in column 'email'",
         expectedAffectedRows: 4,
       },
     ])(
       '$description',
-      async ({
-        column,
-        find,
-        replace,
-        caseSensitive,
-        wholeWord,
-        expectedMessage,
-        expectedAffectedRows,
-      }) => {
+      async ({ column, find, replace, caseSensitive, wholeWord, expectedAffectedRows }) => {
         const { data, status, error } = await api.project({ projectId }).replace.post({
           column,
           find,
@@ -147,7 +136,6 @@ describe('Project API - find and replace', () => {
         expect(status).toBe(200)
         expect(error).toBeNull()
         expect(data).toEqual({
-          message: expectedMessage,
           affectedRows: expectedAffectedRows,
         })
       },
@@ -163,7 +151,6 @@ describe('Project API - find and replace', () => {
         replace: 'Jonathan',
         caseSensitive: false,
         wholeWord: true,
-        expectedMessage: "Successfully replaced 'John' with 'Jonathan' in column 'name'",
         expectedAffectedRows: 1,
       },
       {
@@ -173,20 +160,11 @@ describe('Project API - find and replace', () => {
         replace: 'jonathan',
         caseSensitive: true,
         wholeWord: true,
-        expectedMessage: "Successfully replaced 'john' with 'jonathan' in column 'name'",
         expectedAffectedRows: 0,
       },
     ])(
       '$description',
-      async ({
-        column,
-        find,
-        replace,
-        caseSensitive,
-        wholeWord,
-        expectedMessage,
-        expectedAffectedRows,
-      }) => {
+      async ({ column, find, replace, caseSensitive, wholeWord, expectedAffectedRows }) => {
         const { data, status, error } = await api.project({ projectId }).replace.post({
           column,
           find,
@@ -198,7 +176,6 @@ describe('Project API - find and replace', () => {
         expect(status).toBe(200)
         expect(error).toBeNull()
         expect(data).toEqual({
-          message: expectedMessage,
           affectedRows: expectedAffectedRows,
         })
       },
@@ -212,18 +189,16 @@ describe('Project API - find and replace', () => {
         column: 'city',
         find: 'New York',
         replace: '',
-        expectedMessage: "Successfully replaced 'New York' with '' in column 'city'",
         expectedAffectedRows: 3,
       },
       {
         description: 'empty string replace with whole word',
         column: 'name',
         find: 'John',
         replace: '',
-        expectedMessage: "Successfully replaced 'John' with '' in column 'name'",
         expectedAffectedRows: 2,
       },
-    ])('$description', async ({ column, find, replace, expectedMessage, expectedAffectedRows }) => {
+    ])('$description', async ({ column, find, replace, expectedAffectedRows }) => {
       const { data, status, error } = await api.project({ projectId }).replace.post({
         column,
         find,
@@ -235,7 +210,6 @@ describe('Project API - find and replace', () => {
       expect(status).toBe(200)
       expect(error).toBeNull()
       expect(data).toEqual({
-        message: expectedMessage,
         affectedRows: expectedAffectedRows,
       })
     })
@@ -282,15 +256,13 @@ describe('Project API - find and replace', () => {
         column: 'email',
         find: '@',
         replace: '[AT]',
-        expectedMessage: "Successfully replaced '@' with '[AT]' in column 'email'",
         expectedAffectedRows: 5,
       },
       {
         description: 'handle single quotes',
         column: 'name',
         find: "John's",
         replace: "Jonathan's",
-        expectedMessage: "Successfully replaced 'John\\'s' with 'Jonathan\\'s' in column 'name'",
         expectedAffectedRows: 0, // No data with John's in test data
       },
     ])('$description', async ({ column, find, replace }) => {
diff --git a/backend/tests/services/replace-operation.service.test.ts b/backend/tests/services/replace-operation.service.test.ts
