From b3129b483ed3e1a0294dac9da44d5f56ae4746e2 Mon Sep 17 00:00:00 2001
From: Stefan Majewsky <majewsky@gmx.net>
Date: Tue, 12 May 2026 13:34:58 +0200
Subject: add escaping in Dialect.QuoteIdentifier implementations

---
 dialect.go | 28 ++++++++++++++++++++++------
 1 file changed, 22 insertions(+), 6 deletions(-)

(limited to 'dialect.go')

diff --git a/dialect.go b/dialect.go
index 5a96cef..3c49f58 100644
--- a/dialect.go
+++ b/dialect.go
@@ -44,8 +44,13 @@ func MariaDBDialect() Dialect {
 
 type mariadbDialect struct{}
 
-func (mariadbDialect) Placeholder(_ int) string           { return "?" }
-func (mariadbDialect) QuoteIdentifier(name string) string { return "`" + name + "`" }
+func (mariadbDialect) Placeholder(_ int) string {
+	return "?"
+}
+
+func (mariadbDialect) QuoteIdentifier(name string) string {
+	return "`" + strings.ReplaceAll(name, "`", "``") + "`"
+}
 
 func (d mariadbDialect) UpsertClause(pkColumns, otherColumns []string) string {
 	clauses := make([]string, max(1, len(otherColumns)))
@@ -68,8 +73,13 @@ func PostgresDialect() Dialect {
 
 type postgresDialect struct{}
 
-func (postgresDialect) Placeholder(i int) string           { return "$" + strconv.Itoa(i+1) }
-func (postgresDialect) QuoteIdentifier(name string) string { return `"` + name + `"` }
+func (postgresDialect) Placeholder(i int) string {
+	return "$" + strconv.Itoa(i+1)
+}
+
+func (postgresDialect) QuoteIdentifier(name string) string {
+	return `"` + strings.ReplaceAll(name, `"`, `""`) + `"`
+}
 
 func (d postgresDialect) UpsertClause(pkColumns, otherColumns []string) string {
 	quotedPkColumns := make([]string, len(pkColumns))
@@ -98,8 +108,14 @@ func SqliteDialect() Dialect {
 
 type sqliteDialect struct{}
 
-func (sqliteDialect) Placeholder(_ int) string           { return "?" }
-func (sqliteDialect) QuoteIdentifier(name string) string { return `"` + name + `"` }
+func (sqliteDialect) Placeholder(_ int) string {
+	return "?"
+}
+
+func (sqliteDialect) QuoteIdentifier(name string) string {
+	return `"` + strings.ReplaceAll(name, `"`, `""`) + `"`
+}
+
 func (sqliteDialect) UpsertClause(pkColumns, otherColumns []string) string {
 	return postgresDialect{}.UpsertClause(pkColumns, otherColumns)
 }
-- 
cgit v1.2.3