Skip to content

Escape all dynamic SQL identifiers#18

Merged
bitalizer merged 1 commit into
masterfrom
refactor/sql-escaping
Apr 12, 2026
Merged

Escape all dynamic SQL identifiers#18
bitalizer merged 1 commit into
masterfrom
refactor/sql-escaping

Conversation

@bitalizer
Copy link
Copy Markdown
Owner

@bitalizer bitalizer commented Apr 12, 2026

Summary

  • Add escape_mssql_identifier, escape_mysql_identifier, and escape_sql_string helpers in src/common/sql.rs
  • Apply escaping to all dynamic SQL in extractor (MSSQL), inserter (MySQL), and query builder
  • Backtick-quote all column names in INSERT, CREATE TABLE, and ALTER TABLE statements
  • Prevents breakage on reserved words and special characters in table/column names
  • Rules verified against official MySQL and MSSQL documentation

Test plan

  • 15 new tests for escape helpers (brackets, backticks, quotes, edge cases)
  • 4 new tests for reserved words and special chars in query builders
  • All 113 tests pass
  • cargo clippy -- -D warnings clean
  • cargo fmt --check clean

@bitalizer
fix: escape all dynamic SQL identifiers to prevent injection
e1522de 
Add escape helpers for MSSQL ([brackets]) and MySQL (`backticks`)
identifiers, plus string literal escaping. Apply throughout extractor,
inserter, and query builder. Backtick-quote all column names in
INSERT, CREATE TABLE, and ALTER TABLE statements.

Rules verified against official MySQL and MSSQL documentation.
@bitalizer bitalizer merged commit 24bc218 into master Apr 12, 2026
6 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@bitalizer