escape pgsql field and values generated by buildGetCondition

Signed-off-by: Marques Johansson <[email protected]>
tinkerbell · Jan 12, 2022 · ef69e41 · ef69e41
1 parent b18b238
commit ef69e41
Showing 1 changed file with 1 addition and 1 deletion.
diff --git a/db/db.go b/db/db.go
@@ -111,7 +111,7 @@ func get(ctx context.Context, db *sql.DB, query string, args ...interface{}) (st
 func buildGetCondition(fields map[string]string) (string, error) {
 	for column, field := range fields {
 		if field != "" {
-			return fmt.Sprintf("%s = '%s'", column, field), nil
+			return fmt.Sprintf("%s = %s", pq.QuoteIdentifier(column), pq.QuoteLiteral(field)), nil
 		}
 	}
 	return "", errors.New("one GetBy field must be set to build a get condition")