Support for escaping untrusted string inputs #9
Description
The library should provide users with a way to escape untrusted string inputs in a way that makes it safe to insert them into queries.
According to the documentation, it appears like escaping strings is relatively simple in ClickHouse:
In string literals, you need to escape at least ' and . Single quotes can be escaped with the single quote, literals 'It's' and 'It''s' are equal.
https://clickhouse.tech/docs/en/sql-reference/syntax/#syntax-string-literal
However, the experience with many other databases and their respective clients in the past have shown that there are a lot of things that can go wrong with escaping. Things that usually contribute to making proper escaping a non-trivial issue are:
- null terminated strings in C/C++, particularly when interoperating with a language where 0 is a valid byte inside strings
- charset mismatches on client and server, resulting in different interpretation of characters in the client and the server
We should take a close look at how some other clients handle this and perhaps even request a review from a CH engineer (on the mailing list?).
My personal opinion is that it is better to not have an escape function at all instead of having a potentially broken / unsound one that merely give users an illusion of safety.
Status
This issue is currently not being worked on and if anyone is interesting in taking a stab at it, please comment here in order to prevent duplicate work or to ask any further questions.