diff options
| author | Stefan Majewsky <majewsky@gmx.net> | 2026-05-12 13:34:58 +0200 |
|---|---|---|
| committer | Stefan Majewsky <majewsky@gmx.net> | 2026-05-12 13:34:58 +0200 |
| commit | b3129b483ed3e1a0294dac9da44d5f56ae4746e2 (patch) | |
| tree | d46c8e0c0c9b28eef921fbf8b9cf18181486b31c | |
| parent | 80c3fadf24fe9d784d876eec247fd6799af49c8a (diff) | |
| download | go-oblast-b3129b483ed3e1a0294dac9da44d5f56ae4746e2.tar.gz | |
add escaping in Dialect.QuoteIdentifier implementations
| -rw-r--r-- | CHANGELOG.md | 4 | ||||
| -rw-r--r-- | dialect.go | 28 |
2 files changed, 26 insertions, 6 deletions
diff --git a/CHANGELOG.md b/CHANGELOG.md index d1f54cc..79bf0bf 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -14,6 +14,10 @@ API changes: (if the user provides the respective custom implementation of the `Handle` interface). Preliminary benchmarking has already shown that, for the PostgreSQL case, oblast + jackc/pgx is significantly more efficient than oblast + lib/pq. +Changes: + +- Added escaping to `Dialect.QuoteIdentifier` implementations to reduce attack surface for SQL injection. + # v0.6.0 (2026-05-08) API changes: @@ -44,8 +44,13 @@ func MariaDBDialect() Dialect { type mariadbDialect struct{} -func (mariadbDialect) Placeholder(_ int) string { return "?" } -func (mariadbDialect) QuoteIdentifier(name string) string { return "`" + name + "`" } +func (mariadbDialect) Placeholder(_ int) string { + return "?" +} + +func (mariadbDialect) QuoteIdentifier(name string) string { + return "`" + strings.ReplaceAll(name, "`", "``") + "`" +} func (d mariadbDialect) UpsertClause(pkColumns, otherColumns []string) string { clauses := make([]string, max(1, len(otherColumns))) @@ -68,8 +73,13 @@ func PostgresDialect() Dialect { type postgresDialect struct{} -func (postgresDialect) Placeholder(i int) string { return "$" + strconv.Itoa(i+1) } -func (postgresDialect) QuoteIdentifier(name string) string { return `"` + name + `"` } +func (postgresDialect) Placeholder(i int) string { + return "$" + strconv.Itoa(i+1) +} + +func (postgresDialect) QuoteIdentifier(name string) string { + return `"` + strings.ReplaceAll(name, `"`, `""`) + `"` +} func (d postgresDialect) UpsertClause(pkColumns, otherColumns []string) string { quotedPkColumns := make([]string, len(pkColumns)) @@ -98,8 +108,14 @@ func SqliteDialect() Dialect { type sqliteDialect struct{} -func (sqliteDialect) Placeholder(_ int) string { return "?" } -func (sqliteDialect) QuoteIdentifier(name string) string { return `"` + name + `"` } +func (sqliteDialect) Placeholder(_ int) string { + return "?" +} + +func (sqliteDialect) QuoteIdentifier(name string) string { + return `"` + strings.ReplaceAll(name, `"`, `""`) + `"` +} + func (sqliteDialect) UpsertClause(pkColumns, otherColumns []string) string { return postgresDialect{}.UpsertClause(pkColumns, otherColumns) } |