fabio286/antares
1
1
Fork 0
mirror of https://github.com/Fabio286/antares.git synced 2025-06-05 21:59:22 +02:00
Code Issues Releases Wiki Activity

fix: escape SQL parameters in update and delete for where clauses, fixes #964

Browse Source
This commit is contained in:
Fabio Di Stasio
2025-03-31 13:03:49 +02:00
parent fcd7e404ba
commit ba63b049a3
1 changed files with 3 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
src/main/ipc-handlers/tables.ts
View File

@@ -221,7 +221,7 @@ export default (connections: Record<string, antares.Client>) => {
.update({ [params.field]: `= ${escapedParam}` })
.schema(params.schema)
.from(params.table)
.where({ [params.primary]: `= ${id}` })
.where({ [params.primary]: `= ${sqlEscaper(id)}` })
.limit(1)
.run();
}
@@ -233,7 +233,7 @@ export default (connections: Record<string, antares.Client>) => {
for (const key in orgRow) {
if (typeof orgRow[key] === 'string')
orgRow[key] = ` = '${orgRow[key]}'`;
orgRow[key] = ` = '${sqlEscaper(orgRow[key])}'`;
else if (typeof orgRow[key] === 'object' && orgRow[key] !== null)
orgRow[key] = formatJsonForSqlWhere(orgRow[key], connections[params.uid]._client);
else if (orgRow[key] === null)
@@ -290,7 +290,7 @@ export default (connections: Record<string, antares.Client>) => {
for (const row of params.rows) {
for (const key in row) {
if (typeof row[key] === 'string')
row[key] = `'${row[key]}'`;
row[key] = `'${sqlEscaper(row[key])}'`;
if (row[key] === null)
row[key] = 'IS NULL';