I suspect the escaping of constant sql strings is not fully safe
I think \ needs escaping too or else it can be used to escape a single quote
select().from(MyTable).where(MyTable.field === "\\'; drop bobby tables".const)
As long as const strings are not used for user values this shouldn't ever be a problem
Yes, it's a bit of an escape hatch. I've been thinking about writing a Scalafix linting rule that checks that the receiver of .constant is a compile-time constant.
I suspect the escaping of constant sql strings is not fully safe
I think
\
needs escaping too or else it can be used to escape a single quoteselect().from(MyTable).where(MyTable.field === "\\'; drop bobby tables".const)
As long as const strings are not used for user values this shouldn't ever be a problem
Don't know if this is an issue for DB2 but it would be for MySQL: https://dev.mysql.com/doc/refman/5.7/en/string-literals.html