Skip to content

Commit 7d5e083

Browse files
BykhovDenisBykhovDenis
authored
Escape values in array type checks for safer SQL queries (#9332)
Signed-off-by: Denis Bykhov <[email protected]>
1 parent d5fd17e commit 7d5e083

File tree

1 file changed

+2
-2
lines changed

1 file changed

+2
-2
lines changed

server/postgres/src/storage.ts

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -1488,8 +1488,8 @@ abstract class PostgresAdapterBase implements DbAdapter {
14881488
return type === 'common'
14891489
? `${tlkey} = ${vars.add(value, valType)}`
14901490
: type === 'array'
1491-
? `${tkey} @> '${typeof value === 'string' ? '{"' + value + '"}' : value}'`
1492-
: `${tkey} @> '${typeof value === 'string' ? '"' + value + '"' : value}'`
1491+
? `${tkey} @> '${typeof value === 'string' ? '{"' + escape(value) + '"}' : value}'`
1492+
: `${tkey} @> '${typeof value === 'string' ? '"' + escape(value) + '"' : value}'`
14931493
}
14941494

14951495
private getReverseProjection (vars: ValuesVariables, join: JoinProps): string[] {

0 commit comments

Comments
 (0)