search

tursodatabase / libsql-shell-go

7 stars 7 forks source link

`.dump` doesn't properly escape strings with single quotes #140

Closed CodingDoug closed 12 months ago

CodingDoug commented 12 months ago 
→  create table t (t text);
→  insert into t values ("x'x");
→  .dump
PRAGMA foreign_keys=OFF;
CREATE TABLE t (t text);
INSERT INTO t VALUES ('x'x');

That last insert has a SQL syntax error.

CodingDoug commented 12 months ago

Looks like the problem is that this function is doing straight string concatenation (here and many other places) to build outputs:

https://github.com/libsql/libsql-shell-go/blob/main/internal/shellcmd/dump.go#L74-L92

Digging down to the bottom:

https://github.com/libsql/libsql-shell-go/blob/main/internal/db/formatter.go#L82-L84

func (s SQLiteFormatter) formatString(value string) string {
    return fmt.Sprintf("'%v'", value)
}