fabio286/antares
1
1
Fork 0
mirror of https://github.com/Fabio286/antares.git synced 2025-06-05 21:59:22 +02:00
Code Issues Releases Wiki Activity

fix: improve SQL parameter escaping in update-table-cell, ensuring correct handling of id types

Browse Source
This commit is contained in:
Fabio Di Stasio
2025-04-14 10:04:55 +02:00
parent 8f84892f07
commit 994aa69fd0
1 changed files with 2 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
src/main/ipc-handlers/tables.ts
View File

@@ -135,7 +135,7 @@ export default (connections: Record<string, antares.Client>) => {
try { // TODO: move to client classes try { // TODO: move to client classes
let escapedParam; let escapedParam;
let reload = false; let reload = false;
const id = typeof params.id === 'number' ? params.id : `${sw}${params.id}${sw}`; const id = typeof params.id === 'number' ? params.id : `${sw}${sqlEscaper(params.id)}${sw}`;
if ([...NUMBER, ...FLOAT].includes(params.type)) if ([...NUMBER, ...FLOAT].includes(params.type))
escapedParam = params.content; escapedParam = params.content;
@@ -221,7 +221,7 @@ export default (connections: Record<string, antares.Client>) => {
.update({ [params.field]: `= ${escapedParam}` }) .update({ [params.field]: `= ${escapedParam}` })
.schema(params.schema) .schema(params.schema)
.from(params.table) .from(params.table)
.where({ [params.primary]: `= ${typeof id === 'string' ? sqlEscaper(id) : id}` }) .where({ [params.primary]: `= ${id}` })
.limit(1) .limit(1)
.run(); .run();
} }