typeorm: Unknown fields are stripped from WHERE clause

Issue type:

[ ] question [x] bug report [ ] feature request [x] documentation issue

Database system/driver:

[ ] cordova [ ] mongodb [ ] mssql [ ] mysql / mariadb [ ] oracle [x] postgres [ ] sqlite [ ] sqljs [ ] react-native [ ] expo

TypeORM version:

[x] latest [ ] @next [ ] 0.x.x (or put your version here)

Steps to reproduce or a small repository showing the problem: Reproducible with https://github.com/typeorm/typescript-example

Create some categories in the DB

Add this snippet

const categoryRepository = getRepository(Category);
const categories = await categoryRepository.find({doesNotExist: 'any value'} as any);
console.log(categories);

I would expect categories to be empty since we’re querying a non-existent field. However the query actually returns everything (i.e., every record in the Category table).

Is there any reason the doesNotExist key is not present in the resulting SQL query please?

About this issue

Original URL
State: closed
Created 5 years ago
Reactions: 12
Comments: 25 (15 by maintainers)

Commits related to this issue

fix: Unknown fields are stripped from WHERE clause (issue #3416) — committed to proxyco/typeorm by deleted user 4 years ago
fix: Unknown fields are stripped from WHERE clause (issue #3416) — committed to proxyco/typeorm by deleted user 4 years ago
fix: Unknown fields are stripped from WHERE clause (issue #3416) — committed to proxyco/typeorm by deleted user 4 years ago
fix: Unknown fields are stripped from WHERE clause (issue #3416) — committed to proxyco/typeorm by deleted user 4 years ago
fix: Unknown fields are stripped from WHERE clause (issue #3416) — committed to proxyco/typeorm by deleted user 4 years ago
fix: Unknown fields are stripped from WHERE clause (issue #3416) — committed to proxyco/typeorm by deleted user 4 years ago
fix: Unknown fields are stripped from WHERE clause (issue #3416) (#5603) * fix: Unknown fields are stripped from WHERE clause (issue #3416) * update non-exist columns test — committed to typeorm/typeorm by johannessjoberg 4 years ago
chore: Merge `master` into `next` (#6583) * chore(deps): bump acorn from 5.7.3 to 5.7.4 (#5679) Bumps [acorn](https://github.com/acornjs/acorn) from 5.7.3 to 5.7.4. - [Release notes](https://gith... — committed to typeorm/typeorm by imnotjames 4 years ago
fix: Unknown fields are stripped from WHERE clause (issue #3416) (#5603) * fix: Unknown fields are stripped from WHERE clause (issue #3416) * update non-exist columns test — committed to zaro/typeorm by johannessjoberg 4 years ago

Most upvoted comments

I still think this is highly critical. This bug causes delete/update statements to drop/update more data than the query would assume.

+19

spech66 on Jan 29, 2019

Adding a flag would increase complexity. I think we should just throw an error - it’s a programmer error and it should be fixed as soon as possible or program logic may become unstable.

+17

Kononnable on Jan 15, 2019

Like @spech66 mentioned, the current behaviour is very dangerous, because intentionally one would think that queries are correct when there is no error. If I query “Tasks by user” and the user field is misspelled (or has been changed), then TypeORM is leaking ALL data.

Finding a solution for this would be great 👍

+13

baba43 on Dec 15, 2019

This is deeply wrong behavior. Has anyone found a workaround?

+12

reverie on Jan 16, 2020

Im for throwing an error. If its so-breaking we need to do it against next.

+12

pleerock on Jan 13, 2019

I think this issue can be closed.

dsbert on Jun 30, 2020

Original question:

Is there any reason the doesNotExist is not present in the resulting SQL query please?

@realyze if typeorm do not remove non-exists columns from your query, you will get error from database. So thats reason why we do it.

ah, okay… Shall we apply same strategy for selects?

This is breaking change. Lot of users will get errors after it. But IMHO it is correct behaviour to throw error if someone try to use unknown column in where statement of SQL (database will return error in this case, too). @Kononnable, @havenchyk what do you think about this?

vlapo on Jan 13, 2019

This is major issue when you consider using find and remove. Is there any way we can help to solve this issue?

bhuvinth on Jul 28, 2020

Compile time should be in the @next but require a version of typescript we can’t use yet.

imnotjames on Oct 14, 2020

Very often it happens like this: where: { userId } instead of where: { user }. It can be really hard to find this out during a code review.

justvamp on Mar 12, 2019

also here are old issues for this #2528, #2690

silentroach on Jan 15, 2019

I just opened a similar issue (#5832) about this but on a different perspective:

As a user, I want the compiler to tell me I’m using a property that does not exist.

My suggestion for this would be to have two different where properties: a raw one and a “typed” one.

To maintain backwards compatibility, the current where could be of type string|ObjectLiteral|FindConditions<Entity> and keep the property stripping behavior.

The new where property could be forcefully set to FindConditions<Entity> and not stripe anything.

araujoigor on Apr 8, 2020

Okey, I think we should add this into 0.3.0 release as throwing error is breaking change for som users.

vlapo on Jun 7, 2019