Escape single quotes on insert

njord-rs · Nov 16, 2024 · cb0ea12 · cb0ea12
1 parent b40058b
commit cb0ea12
Show file tree

Hide file tree

Showing 9 changed files with 115 additions and 8 deletions.
diff --git a/njord/db/insert.db b/njord/db/insert.db
diff --git a/njord/src/mssql/insert.rs b/njord/src/mssql/insert.rs
@@ -165,8 +165,12 @@ fn generate_statement<T: Table>(table_row: &T, first_statement: bool) -> Result<
             println!("Skipping AutoIncrementPrimaryKey field in SQL statement generation.");
             continue;
         }
+
+        // Escape single quotes in the value
+        let escaped_value = value.replace("'", "''");
+
         columns_str.push_str(&format!("{}, ", column_name));
-        values_str.push_str(&format!("'{}', ", value)); // Surround values with single quotes
+        values_str.push_str(&format!("'{}', ", escaped_value)); // Surround values with single quotes
     }
 
     // Sanitize table name from unwanted quotations or backslashes

diff --git a/njord/src/mysql/insert.rs b/njord/src/mysql/insert.rs
@@ -167,8 +167,12 @@ fn generate_statement<T: Table>(table_row: &T, first_statement: bool) -> Result<
             println!("Skipping AutoIncrementPrimaryKey field in SQL statement generation.");
             continue;
         }
+
+        // Escape single quotes in the value
+        let escaped_value = value.replace("'", "''");
+
         columns_str.push_str(&format!("{}, ", column_name));
-        values_str.push_str(&format!("'{}', ", value)); // Surround values with single quotes
+        values_str.push_str(&format!("'{}', ", escaped_value)); // Surround values with single quotes
     }
 
     // Sanitize table name from unwanted quotations or backslashes

diff --git a/njord/src/oracle/insert.rs b/njord/src/oracle/insert.rs
@@ -170,8 +170,12 @@ fn generate_statement<T: Table>(table_row: &T, first_statement: bool) -> Result<
             println!("Skipping AutoIncrementPrimaryKey field in SQL statement generation.");
             continue;
         }
+
+        // Escape single quotes in the value
+        let escaped_value = value.replace("'", "''");
+
         columns_str.push_str(&format!("{}, ", column_name));
-        values_str.push_str(&format!("'{}', ", value)); // Surround values with single quotes
+        values_str.push_str(&format!("'{}', ", escaped_value)); // Surround values with single quotes
     }
 
     // Sanitize table name from unwanted quotations or backslashes

diff --git a/njord/src/sqlite/insert.rs b/njord/src/sqlite/insert.rs
@@ -54,10 +54,7 @@ use std::fmt::Error;
 ///
 /// A `Result` containing a `String` representing the joined SQL statements
 /// if the insertion is successful, or a `RusqliteError` if an error occurs.
-pub fn insert<T: Table>(
-    conn: &Connection,
-    table_rows: Vec<T>,
-) -> Result<String, RusqliteError> {
+pub fn insert<T: Table>(conn: &Connection, table_rows: Vec<T>) -> Result<String, RusqliteError> {
     let mut statements: Vec<String> = Vec::new();
     for (index, table_row) in table_rows.iter().enumerate() {
         match generate_statement(table_row, index == 0) {
@@ -164,8 +161,12 @@ fn generate_statement<T: Table>(table_row: &T, first_statement: bool) -> Result<
             println!("Skipping AutoIncrementPrimaryKey field in SQL statement generation.");
             continue;
         }
+
+        // Escape single quotes in the value
+        let escaped_value = value.replace("'", "''");
+
         columns_str.push_str(&format!("{}, ", column_name));
-        values_str.push_str(&format!("'{}', ", value)); // Surround values with single quotes
+        values_str.push_str(&format!("'{}', ", escaped_value)); // Surround values with single quotes
     }
 
     // Sanitize table name from unwanted quotations or backslashes

diff --git a/njord/tests/mssql/insert_test.rs b/njord/tests/mssql/insert_test.rs
@@ -26,3 +26,27 @@ async fn insert_row() {
         }
     }
 }
+
+#[tokio::test]
+async fn insert_row_with_single_quotes() {
+    let connection_string =
+        "jdbc:sqlserver://localhost;encrypt=true;username=sa;password=Njord_passw0rd;databaseName=NjordDatabase;";
+    let mut conn = mssql::open(connection_string).await;
+
+    let table_row: User = User {
+        id: AutoIncrementPrimaryKey::default(),
+        username: "quote_user".to_string(),
+        email: "[email protected]".to_string(),
+        address: "Some Random 'Address' 1".to_string(),
+    };
+
+    match conn {
+        Ok(ref mut c) => {
+            let result = mssql::insert(c, vec![table_row]).await;
+            assert!(result.is_ok());
+        }
+        Err(e) => {
+            panic!("Failed to INSERT: {:?}", e);
+        }
+    }
+}
diff --git a/njord/tests/mysql/insert_test.rs b/njord/tests/mysql/insert_test.rs
@@ -25,3 +25,26 @@ fn insert_row() {
         }
     }
 }
+
+#[test]
+fn insert_row_with_single_quotes() {
+    let url = "mysql://njord_user:njord_password@localhost:3306/njord_db";
+    let mut conn = mysql::open(url);
+
+    let table_row: User = User {
+        id: AutoIncrementPrimaryKey::default(),
+        username: "quote_user".to_string(),
+        email: "[email protected]".to_string(),
+        address: "Some Random 'Address' 1".to_string(),
+    };
+
+    match conn {
+        Ok(ref mut c) => {
+            let result = mysql::insert(c, vec![table_row]);
+            assert!(result.is_ok());
+        }
+        Err(e) => {
+            panic!("Failed to INSERT: {:?}", e);
+        }
+    }
+}
diff --git a/njord/tests/oracle/insert_test.rs b/njord/tests/oracle/insert_test.rs
@@ -25,3 +25,26 @@ fn insert_row() {
         }
     }
 }
+
+#[test]
+fn insert_row_with_single_quotes() {
+    let connection_string = "//localhost:1521/FREEPDB1";
+    let mut conn = oracle::open("njord_user", "njord_password", connection_string);
+
+    let table_row: User = User {
+        id: AutoIncrementPrimaryKey::default(),
+        username: "quote_user".to_string(),
+        email: "[email protected]".to_string(),
+        address: "Some Random 'Address' 1".to_string(),
+    };
+
+    match conn {
+        Ok(ref mut c) => {
+            let result = oracle::insert(c, vec![table_row]);
+            assert!(result.is_ok());
+        }
+        Err(e) => {
+            panic!("Failed to INSERT: {:?}", e);
+        }
+    }
+}
diff --git a/njord/tests/sqlite/insert_test.rs b/njord/tests/sqlite/insert_test.rs
@@ -68,3 +68,27 @@ fn insert_with_sub_query() {
         }
     }
 }
+
+#[test]
+fn insert_row_with_single_quotes() {
+    let db_relative_path = "./db/insert.db";
+    let db_path = Path::new(&db_relative_path);
+    let mut conn = sqlite::open(db_path);
+
+    let table_row: User = User {
+        id: AutoIncrementPrimaryKey::default(),
+        username: "quote_user".to_string(),
+        email: "[email protected]".to_string(),
+        address: "Some Random 'Address' 1".to_string(),
+    };
+
+    match conn {
+        Ok(ref mut c) => {
+            let result = sqlite::insert(c, vec![table_row]);
+            assert!(result.is_ok());
+        }
+        Err(e) => {
+            panic!("Failed to INSERT: {:?}", e);
+        }
+    }
+}