From 994aa69fd00afc7e24e593b1a6c6667535e090c2 Mon Sep 17 00:00:00 2001
From: Fabio Di Stasio <fabio286@gmail.com>
Date: Mon, 14 Apr 2025 10:04:55 +0200
Subject: [PATCH] fix: improve SQL parameter escaping in update-table-cell,
 ensuring correct handling of id types

---
 src/main/ipc-handlers/tables.ts | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/main/ipc-handlers/tables.ts b/src/main/ipc-handlers/tables.ts
index ceb09373..01c6205a 100644
--- a/src/main/ipc-handlers/tables.ts
+++ b/src/main/ipc-handlers/tables.ts
@@ -135,7 +135,7 @@ export default (connections: Record<string, antares.Client>) => {
       try { // TODO: move to client classes
          let escapedParam;
          let reload = false;
-         const id = typeof params.id === 'number' ? params.id : `${sw}${params.id}${sw}`;
+         const id = typeof params.id === 'number' ? params.id : `${sw}${sqlEscaper(params.id)}${sw}`;
 
          if ([...NUMBER, ...FLOAT].includes(params.type))
             escapedParam = params.content;
@@ -221,7 +221,7 @@ export default (connections: Record<string, antares.Client>) => {
                .update({ [params.field]: `= ${escapedParam}` })
                .schema(params.schema)
                .from(params.table)
-               .where({ [params.primary]: `= ${typeof id === 'string' ? sqlEscaper(id) : id}` })
+               .where({ [params.primary]: `= ${id}` })
                .limit(1)
                .run();
          }