Open pgaschuetz opened 11 years ago
Thanks for pointing out this issue Philipp. As you point out the implementation should either ensure that special characters are properly encoded, disallow special characters, or use a prepared statement with parameters instead of using the string directly in the SQL.
Hi,
I've just been looking at this and believe - without testing - that your default implementation is actually prone for SQL injection:
DatabaseMetaData.getIdentifierQuoteString() might be a possible candidate for a solution, or at least throw an exception if the databasename contains the quote character.
Best Philipp