diff options
| -rw-r--r-- | CHANGELOG.md | 4 | ||||
| -rw-r--r-- | dialect.go | 28 |
2 files changed, 26 insertions, 6 deletions
diff --git a/CHANGELOG.md b/CHANGELOG.md index d1f54cc..79bf0bf 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -14,6 +14,10 @@ API changes: (if the user provides the respective custom implementation of the `Handle` interface). Preliminary benchmarking has already shown that, for the PostgreSQL case, oblast + jackc/pgx is significantly more efficient than oblast + lib/pq. +Changes: + +- Added escaping to `Dialect.QuoteIdentifier` implementations to reduce attack surface for SQL injection. + # v0.6.0 (2026-05-08) API changes: @@ -44,8 +44,13 @@ func MariaDBDialect() Dialect { type mariadbDialect struct{} -func (mariadbDialect) Placeholder(_ int) string { return "?" } -func (mariadbDialect) QuoteIdentifier(name string) string { return "`" + name + "`" } +func (mariadbDialect) Placeholder(_ int) string { + return "?" +} + +func (mariadbDialect) QuoteIdentifier(name string) string { + return "`" + strings.ReplaceAll(name, "`", "``") + "`" +} func (d mariadbDialect) UpsertClause(pkColumns, otherColumns []string) string { clauses := make([]string, max(1, len(otherColumns))) @@ -68,8 +73,13 @@ func PostgresDialect() Dialect { type postgresDialect struct{} -func (postgresDialect) Placeholder(i int) string { return "$" + strconv.Itoa(i+1) } -func (postgresDialect) QuoteIdentifier(name string) string { return `"` + name + `"` } +func (postgresDialect) Placeholder(i int) string { + return "$" + strconv.Itoa(i+1) +} + +func (postgresDialect) QuoteIdentifier(name string) string { + return `"` + strings.ReplaceAll(name, `"`, `""`) + `"` +} func (d postgresDialect) UpsertClause(pkColumns, otherColumns []string) string { quotedPkColumns := make([]string, len(pkColumns)) @@ -98,8 +108,14 @@ func SqliteDialect() Dialect { type sqliteDialect struct{} -func (sqliteDialect) Placeholder(_ int) string { return "?" } -func (sqliteDialect) QuoteIdentifier(name string) string { return `"` + name + `"` } +func (sqliteDialect) Placeholder(_ int) string { + return "?" +} + +func (sqliteDialect) QuoteIdentifier(name string) string { + return `"` + strings.ReplaceAll(name, `"`, `""`) + `"` +} + func (sqliteDialect) UpsertClause(pkColumns, otherColumns []string) string { return postgresDialect{}.UpsertClause(pkColumns, otherColumns) } |