Potential fix for code scanning alert no. 368: Potentially unsafe quoting

joel-rieke · github-advanced-security[bot] · web-flow · commit 37ca7a46a780 · 2025-07-15T13:55:53.000-07:00
Co-authored-by: Copilot Autofix powered by AI &lt;62310815+github-advanced-security[bot]@users.noreply.github.com&gt;
diff --git a/sql/rowexec/show_iters.go b/sql/rowexec/show_iters.go
@@ -398,7 +398,10 @@ func convertColumnDefaultToString(ctx *sql.Context, def *sql.ColumnDefaultValue)
 	if types.IsBit(def.OutType) {
 		return fmt.Sprintf("b'%b'", v), nil
 	}
-	return fmt.Sprintf("'%v'", v), nil
+	// Escape single quotes and backslashes in v to prevent SQL injection
+	sanitizedValue := strings.ReplaceAll(fmt.Sprintf("%v", v), `\`, `\\`)
+	sanitizedValue = strings.ReplaceAll(sanitizedValue, `'`, `\'`)
+	return fmt.Sprintf("'%s'", sanitizedValue), nil
 }
 
 func (i *showCreateTablesIter) produceCreateTableStatement(ctx *sql.Context, table sql.Table, schema sql.Schema, pkSchema sql.PrimaryKeySchema) (string, error) {

Original file line number	Diff line number	Diff line change
`@@ -398,7 +398,10 @@ func convertColumnDefaultToString(ctx sql.Context, def sql.ColumnDefaultValue)`
`398`	`398`	`if types.IsBit(def.OutType) {`
`399`	`399`	`return fmt.Sprintf("b'%b'", v), nil`
`400`	`400`	`}`
`401`		`- return fmt.Sprintf("'%v'", v), nil`
	`401`	`+ // Escape single quotes and backslashes in v to prevent SQL injection`
	`402`	+ sanitizedValue := strings.ReplaceAll(fmt.Sprintf("%v", v), `\`, `\\`)
	`403`	+ sanitizedValue = strings.ReplaceAll(sanitizedValue, `'`, `\'`)
	`404`	`+ return fmt.Sprintf("'%s'", sanitizedValue), nil`
`402`	`405`	`}`
`403`	`406`
`404`	`407`	`func (i showCreateTablesIter) produceCreateTableStatement(ctx sql.Context, table sql.Table, schema sql.Schema, pkSchema sql.PrimaryKeySchema) (string, error) {`