Incorrect escaping of identifiers

[ori-shalom]

One of the main reasons I would like to use loukoum is the claim to handle SQL injection in the builder pattern (quoting table and column names, escaping etc.)

While the idea is great and has a unique value compared to other SQL builder libraries seems like the escaping logic is wrong.

Currently, the quoting logic that escapes quotes using a backslash (\") while the correct way to escape double quotes is by using two double quotes ("").

https://www.postgresql.org/docs/current/sql-syntax-lexical.html#:~:text=To%20include%20a%20double%20quote%2C%20write%20two%20double%20quotes

The code that has the issue: https://github.com/ulule/loukoum/blob/1a6e491d3cf6b1c03d199c5e0ffbfe242bb28765/stmt/stmt.go#L19-L26

I would expect the quoting to use the following Sanitize method from the pgx driver: https://github.com/jackc/pgx/blob/8b9b4055f3b679999adde4a0ab44eb6e1ea536c7/conn.go#L80-L92

Note it also handles zero bytes.

[thoas]

thank you for the report @ori-shalom!

We will take this issue in the next few weeks (french holidays), in the meantime if you want to send us a PR, you are welcome!