From 9f6a183d9b293dfe9ad9f3759f2375f05f37db8e Mon Sep 17 00:00:00 2001 From: Fabio Di Stasio Date: Thu, 18 Mar 2021 12:30:06 +0100 Subject: [PATCH] fix(PostgreSQL): single quote escape --- src/main/ipc-handlers/tables.js | 43 +++++++++++++++++++++++++++------ 1 file changed, 35 insertions(+), 8 deletions(-) diff --git a/src/main/ipc-handlers/tables.js b/src/main/ipc-handlers/tables.js index ee9690f1..e4dac023 100644 --- a/src/main/ipc-handlers/tables.js +++ b/src/main/ipc-handlers/tables.js @@ -66,8 +66,17 @@ export default (connections) => { if ([...NUMBER, ...FLOAT].includes(params.type)) escapedParam = params.content; - else if ([...TEXT, ...LONG_TEXT].includes(params.type)) - escapedParam = `"${sqlEscaper(params.content)}"`; + else if ([...TEXT, ...LONG_TEXT].includes(params.type)) { + switch (connections[params.uid]._client) { + case 'mysql': + case 'maria': + escapedParam = `"${sqlEscaper(params.content)}"`; + break; + case 'pg': + escapedParam = `'${params.content.replaceAll('\'', '\'\'')}'`; + break; + } + } else if (ARRAY.includes(params.type)) escapedParam = `'${params.content}'`; else if (TEXT_SEARCH.includes(params.type)) @@ -93,7 +102,7 @@ export default (connections) => { switch (connections[params.uid]._client) { case 'mysql': case 'maria': - escapedParam = '""'; + escapedParam = '\'\''; break; case 'pg': escapedParam = 'decode(\'\', \'hex\')'; @@ -108,7 +117,7 @@ export default (connections) => { else if (params.content === null) escapedParam = 'NULL'; else - escapedParam = `"${sqlEscaper(params.content)}"`; + escapedParam = `'${sqlEscaper(params.content)}'`; if (params.primary) { await connections[params.uid] @@ -201,8 +210,17 @@ export default (connections) => { escapedParam = 'NULL'; else if ([...NUMBER, ...FLOAT].includes(type)) escapedParam = +params.row[key]; - else if ([...TEXT, ...LONG_TEXT].includes(type)) - escapedParam = `'${sqlEscaper(params.row[key])}'`; + else if ([...TEXT, ...LONG_TEXT].includes(type)) { + switch (connections[params.uid]._client) { + case 'mysql': + case 'maria': + escapedParam = `"${sqlEscaper(params.row[key].value)}"`; + break; + case 'pg': + escapedParam = `'${params.row[key].value.replaceAll('\'', '\'\'')}'`; + break; + } + } else if (BLOB.includes(type)) { if (params.row[key].value) { let fileBlob; @@ -266,8 +284,17 @@ export default (connections) => { escapedParam = 'NULL'; else if ([...NUMBER, ...FLOAT].includes(type)) escapedParam = params.row[key].value; - else if ([...TEXT, ...LONG_TEXT].includes(type)) - escapedParam = `'${sqlEscaper(params.row[key].value)}'`; + else if ([...TEXT, ...LONG_TEXT].includes(type)) { + switch (connections[params.uid]._client) { + case 'mysql': + case 'maria': + escapedParam = `"${sqlEscaper(params.row[key].value)}"`; + break; + case 'pg': + escapedParam = `'${params.row[key].value.replaceAll('\'', '\'\'')}'`; + break; + } + } else if (BLOB.includes(type)) { if (params.row[key].value) { let fileBlob;