Open alexandermalyga opened 8 months ago
SQL identifier names are not being escaped, thus enabling SQL injection attacks.
Here is a minimal example to reproduce:
import pypika table = pypika.Table('my_table"--') field = getattr(table, 'my_field"--') builder = ( pypika.Query.from_(table, dialect=pypika.Dialects.POSTGRESQL) .select(field) .where(table.name == "value'") ) print(builder)
This code produces the following SQL, where single quotes are correctly being escaped but double quotes are not:
SELECT "my_field"--" FROM "my_table"--" WHERE "name"='value'''
Doesn't seem ideal. Would you like to make a PR and write some tests against this behavior?
SQL identifier names are not being escaped, thus enabling SQL injection attacks.
Here is a minimal example to reproduce:
This code produces the following SQL, where single quotes are correctly being escaped but double quotes are not: