pypika icon indicating copy to clipboard operation
pypika copied to clipboard

Published 20 hours ago verified publisher icon kayak

Identifier quote escaping

Open alexandermalyga opened this issue 1 year ago • 1 comments

SQL identifier names are not being escaped, thus enabling SQL injection attacks.

Here is a minimal example to reproduce:

import pypika

table = pypika.Table('my_table"--')
field = getattr(table, 'my_field"--')
builder = (
    pypika.Query.from_(table, dialect=pypika.Dialects.POSTGRESQL)
    .select(field)
    .where(table.name == "value'")
)

print(builder)

This code produces the following SQL, where single quotes are correctly being escaped but double quotes are not:

SELECT "my_field"--" FROM "my_table"--" WHERE "name"='value'''

alexandermalyga avatar Nov 05 '23 20:11 alexandermalyga

Doesn't seem ideal. Would you like to make a PR and write some tests against this behavior?

wd60622 avatar Nov 07 '23 06:11 wd60622