From ba63b049a3a059e77256141dc7b761efbbbf8c1e Mon Sep 17 00:00:00 2001
From: Fabio Di Stasio <fabio286@gmail.com>
Date: Mon, 31 Mar 2025 13:03:49 +0200
Subject: [PATCH] fix: escape SQL parameters in update and delete for where
 clauses, fixes #964

---
 src/main/ipc-handlers/tables.ts | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/src/main/ipc-handlers/tables.ts b/src/main/ipc-handlers/tables.ts
index 99b0e600..f122a128 100644
--- a/src/main/ipc-handlers/tables.ts
+++ b/src/main/ipc-handlers/tables.ts
@@ -221,7 +221,7 @@ export default (connections: Record<string, antares.Client>) => {
                .update({ [params.field]: `= ${escapedParam}` })
                .schema(params.schema)
                .from(params.table)
-               .where({ [params.primary]: `= ${id}` })
+               .where({ [params.primary]: `= ${sqlEscaper(id)}` })
                .limit(1)
                .run();
          }
@@ -233,7 +233,7 @@ export default (connections: Record<string, antares.Client>) => {
 
             for (const key in orgRow) {
                if (typeof orgRow[key] === 'string')
-                  orgRow[key] = ` = '${orgRow[key]}'`;
+                  orgRow[key] = ` = '${sqlEscaper(orgRow[key])}'`;
                else if (typeof orgRow[key] === 'object' && orgRow[key] !== null)
                   orgRow[key] = formatJsonForSqlWhere(orgRow[key], connections[params.uid]._client);
                else if (orgRow[key] === null)
@@ -290,7 +290,7 @@ export default (connections: Record<string, antares.Client>) => {
             for (const row of params.rows) {
                for (const key in row) {
                   if (typeof row[key] === 'string')
-                     row[key] = `'${row[key]}'`;
+                     row[key] = `'${sqlEscaper(row[key])}'`;
 
                   if (row[key] === null)
                      row[key] = 'IS NULL';