From 3613ee1cf2ed74a36757a003200b268e7701fe76 Mon Sep 17 00:00:00 2001
From: Ryan Hafer <hafer.ryan@gmail.com>
Date: Mon, 3 Apr 2017 23:46:27 -0400
Subject: [PATCH 1/2] Update the mysql node to have a direct query input in the
 node configuration to free up the msg.topic.

---
 storage/mysql/68-mysql.html      |  60 ++++++++++++--
 storage/mysql/68-mysql.js        |  77 ++++++++++++++----
 storage/mysql/README.md          |  35 +++++++--
 storage/mysql/icons/sql.png      | Bin 0 -> 1694 bytes
 storage/mysql/package.json       |  16 ++++
 test/storage/mysql/mysql_spec.js | 129 +++++++++++++++++++++++++++++++
 6 files changed, 287 insertions(+), 30 deletions(-)
 create mode 100644 storage/mysql/icons/sql.png
 create mode 100644 test/storage/mysql/mysql_spec.js

diff --git a/storage/mysql/68-mysql.html b/storage/mysql/68-mysql.html
index 85abf6b73..7bb068fc0 100644
--- a/storage/mysql/68-mysql.html
+++ b/storage/mysql/68-mysql.html
@@ -53,41 +53,85 @@
         <label for="node-input-mydb"><i class="fa fa-database"></i> Database</label>
         <input type="text" id="node-input-mydb">
     </div>
+    <div class="form-row">
+        <label for="node-input-parameterSource"><i class="fa fa-edit"></i> Input Source </label>
+        <input type="text" id="node-input-parameterSource" placeholder="payload" style="width:250px;">
+        <input type="hidden" id="node-input-fieldType">
+    </div>
     <div class="form-row">
         <label for="node-input-name"><i class="fa fa-tag"></i> Name</label>
         <input type="text" id="node-input-name" placeholder="Name">
     </div>
+    <div class="form-row" style="position: relative; margin-bottom: 0px;">
+      <label for="node-input-query"><i class="fa fa-file-code-o"></i> Query</label>
+      <input type="hidden" id="node-input-query" autofocus="autofocus">
+    </div>
+    <div class="form-row node-text-editor-row">
+      <div style="min-height:150px;" class="node-text-editor" id="node-input-mysql-query-editor" ></div>
+    </div>
 </script>
 
 <script type="text/x-red" data-help-name="mysql">
     <p>Allows basic access to a MySQL database.</p>
-    <p>This node uses the <b>query</b> operation against the configured database. This does allow both INSERTS and DELETES.
-    By its very nature it allows SQL injection... so <i>be careful out there...</i></p>
-    <p><code>msg.topic</code> must hold the <i>query</i> for the database, and the result is returned in <code>msg.payload</code>.</p>
-    <p><code>msg.payload</code> can contain an array of values to bind to the topic.</p>
+    <p>This node uses the <b>query</b> operation against the configured database. This does allow both INSERTS and DELETES.</i></p>
+    <p>Using legacy method of queries set in `msg.topic` allows SQL injection... so <i>be careful out there...</i>
+    <h3>Query</h3>
+    <p>Enter SQL queries and escapes input values that are located at a set path in the <code>msg</code> object.</p>
+    <p>SQL queries can use mustache style variable insertion. If our <code>msg.payload</code> has a property <code>key</code>, we would write a query as following:</p>
+    <pre>
+       SELECT *
+       FROM table
+       WHERE column = {{key}};
+    </pre>
+    <p>For escaped input clarification, you can refer to the documentation for <a href="https://github.com/mysqljs/mysql#escaping-query-values">mysqljs/mysql</a>.
+    <h3>Results</h3>
     <p>Typically the returned payload will be an array of the result rows.</p>
     <p>If nothing is found for the key then <i>null</i> is returned,</p>
+    <h3>Misc.</h3>
     <p>The reconnect timeout in milliseconds can be changed by adding a line to <b>settings.js</b>
     <pre>mysqlReconnectTime: 30000,</pre></p>
+    <h3>Legacy</h3>
+    <p><code>msg.topic</code> must hold the <i>query</i> for the database, and the result is returned in <code>msg.payload</code>.</p>
+    <p><code>msg.payload</code> can contain an array of values to bind to the topic.</p>
 </script>
 
 <script type="text/javascript">
     RED.nodes.registerType('mysql',{
         category: 'storage-input',
-        color:"#e97b00",
+        color:"rgb(233, 143, 20)",
         defaults: {
             mydb: {type:"MySQLdatabase",required:true},
-            name: {value:""}
+            name: {value:""},
+            parameterSource: {value: 'payload' },
+            fieldType: {value:"msg"},
+            query: {value: ""}
         },
         inputs:1,
         outputs:1,
-        icon: "db.png",
+        icon: "sql.png",
         label: function() {
             var levelNode = RED.nodes.node(this.mydb);
             return this.name||(levelNode?levelNode.label():"mysql");
         },
-            labelStyle: function() {
+        labelStyle: function() {
             return this.name?"node_label_italic":"";
+        },
+        oneditprepare: function(){
+          $("#node-input-parameterSource").typedInput({
+              default: 'msg',
+              types: ['msg'],
+              typeField: $("#node-input-fieldType")
+          });
+          this.editor = RED.editor.createEditor({
+              id: 'node-input-mysql-query-editor',
+              mode: 'ace/mode/sql',
+              value: $("#node-input-query").val()
+          });
+
+        },
+        oneditsave: function() {
+            $("#node-input-query").val(this.editor.getValue())
+            delete this.editor;
         }
     });
 </script>
diff --git a/storage/mysql/68-mysql.js b/storage/mysql/68-mysql.js
index a3362fa50..ae29dee1d 100644
--- a/storage/mysql/68-mysql.js
+++ b/storage/mysql/68-mysql.js
@@ -102,6 +102,8 @@ module.exports = function(RED) {
         RED.nodes.createNode(this,n);
         this.mydb = n.mydb;
         this.mydbConfig = RED.nodes.getNode(this.mydb);
+        this.query = n.query;
+        this.parameterSource = n.parameterSource || 'payload';
 
         if (this.mydbConfig) {
             this.mydbConfig.connect();
@@ -118,24 +120,67 @@ module.exports = function(RED) {
 
             node.on("input", function(msg) {
                 if (node.mydbConfig.connected) {
-                    if (typeof msg.topic === 'string') {
-                        //console.log("query:",msg.topic);
-                        var bind = Array.isArray(msg.payload) ? msg.payload : [];
-                        node.mydbConfig.connection.query(msg.topic, bind, function(err, rows) {
-                            if (err) {
-                                node.error(err,msg);
-                                node.status({fill:"red",shape:"ring",text:"Error"});
-                            }
-                            else {
-                                msg.payload = rows;
-                                node.send(msg);
-                                node.status({fill:"green",shape:"dot",text:"OK"});
-                            }
-                        });
+                    node.status({fill:"green",shape:"dot",text:"connected"});
+
+                    // Query to be executed
+                    var query = node.query;
+
+                    // Array of input parameters
+                    var parameters = [];
+
+                    if(query.length){
+                        // Search for all paramters in a query
+                        var parametersUsed = node.query.match(/\{\{[A-z\.0-9]*?\}\}/g);
+                        var parameterSourcePath = node.parameterSource.split('.');
+
+                        var sourceObject = msg;
+
+                        // Defaults to top level
+                        var parameterSourceKey = parameterSourcePath.shift();
+                        while(parameterSourceKey){
+                            sourceObject = sourceObject[parameterSourceKey];
+
+                            parameterSourceKey = parameterSourcePath.shift();
+                        }
+                        // Loop matched parameters in query
+                        if(parametersUsed) {
+                          for(var i=0; i < parametersUsed.length; i++){
+                              var parameter = parametersUsed[i];
+                              query = query.replace(parameter,'?');
+
+                              // Clean out {{}} characters and create a dot deliminated array of keys to traverse.
+                              var parameterPath = parameter.replace(/[^A-z\.0-9]/g,'')
+                                  .split('.');
+
+                              // Default to key
+                              var value = sourceObject;
+                              var parameterPathKey = parameterPath.shift();
+                              while(parameterPathKey){
+                                  value = value[parameterPathKey];
+                                  parameterPathKey = parameterPath.shift();
+                              }
+
+                              // Add to our parameter array for query execution
+                              parameters.push(value);
+                          }
+                        }
                     }
-                    else {
-                        if (typeof msg.topic !== 'string') { node.error("msg.topic : the query is not defined as a string"); }
+                    else if (typeof msg.topic === 'string') {
+                        parameters = Array.isArray(msg.payload) ? msg.payload : [];
+                        query = msg.topic;
                     }
+
+                    node.mydbConfig.connection.query(query, parameters, function(err, rows) {
+                        if (err) {
+                            node.error(err,msg);
+                            node.status({fill:"red",shape:"ring",text:"Error"});
+                        }
+                        else {
+                            msg.payload = rows;
+                            node.send(msg);
+                            node.status({fill:"green",shape:"dot",text:"OK"});
+                        }
+                    });
                 }
                 else {
                     node.error("Database not connected",msg);
diff --git a/storage/mysql/README.md b/storage/mysql/README.md
index b3b769304..8e0ac9587 100644
--- a/storage/mysql/README.md
+++ b/storage/mysql/README.md
@@ -15,15 +15,38 @@ Usage
 
 Allows basic access to a MySQL database.
 
-This node uses the <b>query</b> operation against the configured database. This does allow both INSERTS and DELETES.
+This node uses the query operation against the configured database. This does allow both INSERTS and DELETES.
 
-By it's very nature it allows SQL injection... so <i>be careful out there...</i>
+Using legacy method where queries are set in `msg.topic` allows SQL injection... so be careful out there...
 
-The `msg.topic` must hold the <i>query</i> for the database, and the result is returned in `msg.payload`.
+###Direct Inserted Queries
+
+With SQL queries that are directly added on the node, variables are escaped.
+
+SQL queries can use mustache style variable insertion. If our `msg.payload` has a property `key`, we would write a query as following:
+
+```
+    SELECT *
+    FROM table
+    WHERE column = {{key}};
+```
+
+For more escaped input information, you can refer to the documentation for [mysqljs/mysql](https://github.com/mysqljs/mysql).
+
+###Results
 
 Typically the returned payload will be an array of the result rows.
 
-If nothing is found for the key then <i>null</i> is returned.
+If nothing is found for the key then null is returned,
+
+###Misc.
+
+The reconnect timeout in milliseconds can be changed by adding a line to settings.js
+
+`mysqlReconnectTime: 30000,`
+
+###Legacy
+
+`msg.topic` must hold the query for the database, and the result is returned in `msg.payload`.
 
-The reconnect retry timeout in milliseconds can be changed by adding a line to <b>settings.js</b>
-    <pre>mysqlReconnectTime: 30000,</pre></p>
+`msg.payload` can contain an array of values to bind to the topic.
diff --git a/storage/mysql/icons/sql.png b/storage/mysql/icons/sql.png
new file mode 100644
index 0000000000000000000000000000000000000000..6a3944a02b3ddeb284491fe0e81ca6ac939ac250
GIT binary patch
literal 1694
zcmX|?2~^Tq7r_6ZskmEx9G6K6MI#l&1rygqN03}1+(yNeMM(t&60{sm{hG@B3Z}*~
zG)E~58)wS0Niwm82DR+damiz;S?;@InJo@Boq6Zn_uhT?zTds~op;VX9vL2Dq;IJY
z0DuvZ5Jc9j0UM&HqnYKbtd{@)vSLwU1+ig!a5PRPDw)nnVW32rT#X$7eEdb+WLi2y
z083${ve>@xc|{8x#-jVeV?4rK!nk-w8jFz2W9-Wfr_gfKX<l@=zn{L32&VyLG6cym
zQDz34j}!UAzi@Gy{l+mG4*TLFNcV-uhDE~g93BJaf$~7P!2R@LK0G=TM-KY->t&7R
z3r`aWxHvRgC={ZEZYT~f6^-%o@<O|~qFr5`H6G6V9JU}?<jm&VZXo_)1TpwD9*Zkr
zaoDg8W^xMWpuiUnM{fi{e~qF^7yWO(8s*=L8Ej3NJWV~8p><Q5XDVRf@sWITNFa<D
zjK^ZUuvlkT6b1lxh!2W89fS66eeADOYFHZS<Yb@hQG+><QghP%j11GZ-)(uUtlX12
zUuqZ6sM~RUF}*cO86D>sEVCn}r#$#e>KRc=e>yw3d}ruT=j2O%tJxEzeDA2PN76If
zk<+PI?0A;nXtjlIrn~Atc&p0t@~Y~*!M%(}Ru`k{mhR*~IlIR~pV9*{L6%cZt+!Oh
zBGaH8gWEfwi^!{#{<`)}|K&LQCNGyfvbfOV)LSDq<GMo*xwh<DEIE6vUcbG4lFV;!
z>&&}W<}O=u>)!1B$lK+ZseSPeS>IZ0C)gCZ>Moj9#Y9v7cvrUM5GP3pW|l??pz70?
z3S$0bT&<LxgZd(DAIp2zTk<@*K7kauc)bG`_bmTnC5?|9bbr!`?{>1@y<(g2y8S&#
z*JS~<#*CXD(0zxKCjNBmp|O+`@SzCWH;TCW-Jm%9!8F8ORrSVlYJ9fx(+vNx$^Sjx
z%N_e)6j^)CQ&)99gHszjI{pA@{w0J<h~oo*!IljH0p(J20MM!+2JNPZq_gD;_EzH7
zqb&_Eu_@OqMW`Cv6tD!3hTn%48rqRF$a=>`2AipXUY~3Rwf(z(Lmwz?QOD2?3N;PT
zTZ1%Np2%AHy|z}aXr79&ycHG2N9FfP<@H#>m+`S!wuzV@YKe5MJar*#EcO`bbKcBD
zE%0Hn;Ho;IXoq51z3`FH<v?ulJpXGLmS72LLGaU<Pa{yO_~C2ko5SAl5BU6O^f@u~
z6}J`u&;<;)57I8-v81W&SS4$JV%NQ<ZMTDgf_7y^Q$-^YD7YZc$;luYExgxHz%+y)
zM^~*o>39QeVAW9S)=-9|9eMjnn`aDOCrs65{}~Me)|5jM<I4iF0+8g+b?!bsqAq)E
z&s3gJyaZ!OCnK7Cda2s##(N~@TfgfU$?h1fHKijlU9u+09xTSOQgkTrBtKgBSX31h
z2P!wNV!aJ%6xxXN3_CKmKF{{0_)HE+1lK3~Ya;g+l*}m%B)y1I#{pt1A#RVs&xdJF
zMejOhnq<Ml2rix3Gd-g9Tqk3~Q?;Ye<i!ehHq81)KRW`eItR*gvqCPicy=mg@3Pfc
zC5U><1mUk;FFsCZd-e%4f2J*L|4rwwY^(W|&iiwoX}$VxZw}#!A+@VsQ>xc@#gx@8
z<=^;o?jF?pZE7IK&gkyjBQi$c?P%V|6Vvg|Bey9U%QOCLQNYmA>FKC#Hl%_(CBtX%
zPw(zx1Nj}v4*f|>+*{AW!`o6p>#xUi0{yeD;x2&`TdT(|FUqIUG>85#a2SJFKlOO`
zmHF{wK4zbP1s99zZR(Ua<@b;*#g%-t-a=1a;7oLnCt{mK5E@=g0n3~UOPGzPcp*cC
zHX-YR60*OwgQ_)tWPR{l(mrjR1pyJPmH1x8jO#kuH^<4ioLSt6sNiMl4z3)4v|M`i
z3%+1y{K);qIq%L;2eN5Q1^6{Q;YaUv;l+D5y#1ZbTkPjAU6GCQ{7r}sh~^TclA80)
zOZ&P__+bq9a&^V(sRvY-2;2Uhugn+F%LtPN`i<=>!{5`Ho@XlVG*>s*2CDz}u%6U3
zY={O;D|Z#Xh&`!J84w>n9amCCbD9iXqHH$(@Ma=!7=0uEd-L;gj!8Gy1e_oCnZF<j
z!0y`ux{I~bx;OvSaJG$0C^+NYB)2O;-qd%J%uX2B@^H2`YAl9BHXp)hNox?pAV@70
i(wJbVmdsB~OswjdJzY}D8x-)3wn7XJ52_E`U-&mtZRkk=

literal 0
HcmV?d00001

diff --git a/storage/mysql/package.json b/storage/mysql/package.json
index 8de0fc77a..5dda21bd2 100644
--- a/storage/mysql/package.json
+++ b/storage/mysql/package.json
@@ -20,5 +20,21 @@
         "name": "Dave Conway-Jones",
         "email": "ceejay@vnet.ibm.com",
         "url": "http://nodered.org"
+    },
+    "contributor": [
+        {
+            "name": "RyanSH100",
+            "url": "https://github.com/ryansh100"
+        }
+    ],
+    "scripts": {
+        "test": "mocha '../../test/storage/mysql/mysql_spec.js'"
+    },
+    "devDependencies": {
+        "mocha": "^3.2.0",
+        "proxyquire": "^1.7.10",
+        "should": "^11.1.2",
+        "should-sinon": "0.0.5",
+        "sinon": "^1.17.7"
     }
 }
diff --git a/test/storage/mysql/mysql_spec.js b/test/storage/mysql/mysql_spec.js
new file mode 100644
index 000000000..2816f9b50
--- /dev/null
+++ b/test/storage/mysql/mysql_spec.js
@@ -0,0 +1,129 @@
+var sinon = require('sinon');
+var should = require('should');
+var proxyquire =  require('proxyquire');
+var helper = require('../../../test/helper.js');
+var mysqlConnection;
+var mysqlConnectionPool = {
+    getConnection(callback) {
+       callback(null, mysqlConnection);
+    }
+}
+var mysqlMock = {
+    createPool: function () {
+      return mysqlConnectionPool;
+    }
+}
+
+var mysqlNode = proxyquire('../../../storage/mysql/68-mysql.js',
+                    { 'mysql': mysqlMock });
+
+describe('test MySql Node', function() {
+    var flow = [ {
+      id:"n1",
+      type:"mysql",
+      name:"mysql",
+      mydb: "mysqlConfig",
+      wires:[[]],
+      query: "SELECT * FROM tables WHERE columnB = {{B}} AND columnA IN ({{A}})"
+    },
+    {
+      id: 'mysqlConfig',
+      type: 'MySQLdatabase',
+      host: 'some-host',
+      port: 'some-port'
+    }];
+    var creds = {
+      "mysqlConfig": {
+        user: 'some-user',
+        password: 'some-pass'
+      }
+    }
+    var queryNode;
+
+    beforeEach(function(done){
+        helper.load(mysqlNode, flow, creds, function() {
+            queryNode = helper.getNode('n1');
+            done();
+        });
+        mysqlConnection = {
+          connect: function(callback){
+            callback();
+          },
+          on: sinon.spy(),
+          query: sinon.spy()
+        };
+    });
+    afterEach(function(done) {
+        helper.unload().then(done);
+    });
+    it('can make a simple query', function(done) {
+        queryNode.query = "SELECT * FROM table";
+        queryNode.receive({
+          topic: 'some-topic',
+          payload: "A Message"
+        });
+
+        setTimeout(function() {
+            mysqlConnection.query.calledWith(
+              "SELECT * FROM table",
+              []).should.be.true();
+            done();
+        }, 25);
+    });
+
+    it('can accept moustache style variables in query', function(done) {
+        queryNode.receive({payload:{"A":"ParamA", "B":"ParamB"}});
+
+        setTimeout(function() {
+            mysqlConnection.query.calledWith(
+              "SELECT * FROM tables WHERE columnB = ? AND columnA IN (?)",
+              [
+              "ParamB",
+              "ParamA"
+            ]).should.be.true();
+            done();
+        }, 25);
+    });
+
+    it('can use deeply nested properties for variable source', function(done) {
+        queryNode.parameterSource = "payload.deeply.nested";
+        queryNode.receive({
+            payload: {
+                deeply: {
+                    nested: {
+                        "A": "ParamA",
+                        "B": "ParamB"
+                    }
+                }
+            }
+        });
+
+        setTimeout(function() {
+            mysqlConnection.query.calledWith(
+              "SELECT * FROM tables WHERE columnB = ? AND columnA IN (?)",
+              [
+              "ParamB",
+              "ParamA"
+            ]).should.be.true();
+            done();
+        }, 25);
+    });
+
+    it('can fallback to topic based queries', function(done) {
+        queryNode.query = "";
+        queryNode.receive({
+            topic: 'SELECT * FROM table',
+            payload: {
+                "A": "ParamA",
+                "B": "ParamB"
+            }
+        });
+
+        setTimeout(function() {
+            mysqlConnection.query.calledWith(
+              "SELECT * FROM table",
+              []).should.be.true();
+            done();
+        }, 25);
+    });
+});

From 4f2b5ea3511cbeeaf792a331152713befcbb89a9 Mon Sep 17 00:00:00 2001
From: Ryan Hafer <hafer.ryan@gmail.com>
Date: Mon, 3 Apr 2017 23:58:44 -0400
Subject: [PATCH 2/2] Update missing mysql dependency for CI tests.

---
 package.json | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/package.json b/package.json
index a6cbec9e6..6e96db76a 100644
--- a/package.json
+++ b/package.json
@@ -35,7 +35,8 @@
         "poplib" : "^0.1.7",
         "mailparser" : "^0.6.1",
         "imap" : "^0.8.18",
-        "msgpack-js": "^0.3.0"
+        "msgpack-js": "^0.3.0",
+        "mysql": "^2.13.0"
     },
     "engines": {
         "node": ">=0.10"