escape pgsql field and values generated by buildGetCondition (#577)

## Description SQL column names and values should be escaped. Go does not offer a generic function for this (as it tends to be SQL dialect specific). The "pq" library, which we are using as a Postgresql interface, does provide helpers for this purpose. https://pkg.go.dev/github.com/lib/pq#QuoteIdentifier Alternatively, `buildGetCondition` is only used by one caller. It should be possible to remove `buildGetCondition` and have `GetTemplate` build a parameterized query with a parameterized list (some SQLs or client libraries don't allow for field names to be parameters, I don't know if that is the case here). ## Why is this needed Fixes: #574 ## How Has This Been Tested? ## How are existing users impacted? What migration steps/scripts do we need? ## Checklist: I have: - [ ] updated the documentation and/or roadmap (if required) - [ ] added unit or e2e tests - [ ] provided instructions on how to upgrade
tinkerbell · Feb 8, 2022 · c047011 · c047011
2 parents 2be823c + 23f3466
commit c047011
Showing 1 changed file with 1 addition and 1 deletion.
diff --git a/db/db.go b/db/db.go
@@ -111,7 +111,7 @@ func get(ctx context.Context, db *sql.DB, query string, args ...interface{}) (st
 func buildGetCondition(fields map[string]string) (string, error) {
 	for column, field := range fields {
 		if field != "" {
-			return fmt.Sprintf("%s = '%s'", column, field), nil
+			return fmt.Sprintf("%s = %s", pq.QuoteIdentifier(column), pq.QuoteLiteral(field)), nil
 		}
 	}
 	return "", errors.New("one GetBy field must be set to build a get condition")