diff --git a/lib/dbwrap.js b/lib/dbwrap.js
index b9de65f..af4f680 100644
--- a/lib/dbwrap.js
+++ b/lib/dbwrap.js
@@ -13,7 +13,12 @@ function wrap(db, dir, dbsMap) {
   }
 
   db.escape = function (str) {
-    return (str||'').toString().replace(/'/g, "''");
+    // TODO? literals for true,false,null
+    // error on undefined?
+    if (undefined === str) {
+      str = '';
+    }
+    return String(str).replace(/'/g, "''");
   };
 
   function lowerFirst(str) {
@@ -229,9 +234,21 @@ function wrap(db, dir, dbsMap) {
     };
 
     DB.find = function (obj, params) {
+      var err;
       var sql = 'SELECT * FROM \'' + tablename + '\' ';
       var keys = obj && Object.keys(obj);
 
+      if (obj) {
+        Object.keys(obj).forEach(function (key) {
+          if (undefined === obj[key]) {
+            err = new Error("'" + key + "' was `undefined'. For security purposes you must explicitly set the value to null or ''");
+          }
+        });
+      }
+      if (err) {
+        return PromiseA.reject(err);
+      }
+
       if (obj && keys.length) {
         sql += 'WHERE ';
 
@@ -240,9 +257,10 @@ function wrap(db, dir, dbsMap) {
             sql += 'AND ';
           }
           if (null === obj[key]) {
-            sql += db.escape(snakeCase(key)) + " IS '" + db.escape(obj[key]) + "'";
+            sql += db.escape(snakeCase(key)) + " IS null";
           }
           else {
+            // TODO check that key is some type? ignore undefined?
             sql += db.escape(snakeCase(key)) + " = '" + db.escape(obj[key]) + "'";
           }
         });