go-mysqldump
go-mysqldump copied to clipboard
JamesStewy
Add string escape for values
This will escape the strings for single and double quotes. Especially single quotes can lead to SQL errors and injections.
Hi and thank you for the PR.
Are there other special characters apart from single and double quotes that should be escaped? I had a quick look into possibly utilising the SQL escaping that is automatically done when constructing a query but I couldn't figure out how to extract the final command as a string. Do you think that is possible or will we just have to escape it manually?
Finally would you mind rebasing this pull request on master and removing the commit from #11 as I have already merged it.
I found these information in the documentation from MySQL: https://dev.mysql.com/doc/refman/8.0/en/string-literals.html See table 9.1
So, for example, do newlines work currently or will we need to escape them as well?
For newlines the query runs fine. The sql dump will contain the newline as a newline in the file:
INSERT INTO test VALUES ('Newline Test Newline');
MySQL should handle these cases correctly. But I don't know if tools and co. could choke on that. mysqldump itself escapes the newline. Navicat for MySQL and their dump escapes the newline also.
The safe approach here would be to escape the listed sequences in https://dev.mysql.com/doc/refman/8.0/en/string-literals.html
The question is if you want to use your own function or somehow use the built in query generator. But as your quick look suggests this will be trickier or not possible at all.
The question is if you want to use your own function or somehow use the built in query generator
If this is possible (or becomes in the future) I would prefer to use the built in query generator. But for now lets just extend your escapeString function to include the list in Table 9.1 of the link you gave.
