Escape single quotes on insert (#198)

njord/src/mssql/insert.rs

@@ -165,8 +165,12 @@ fn generate_statement<T: Table>(table_row: &T, first_statement: bool) -> Result<
             debug!("Skipping AutoIncrementPrimaryKey field in SQL statement generation.");
             continue;
         }
+
+        // Escape single quotes in the value
+        let escaped_value = value.replace("'", "''");
+
         columns_str.push_str(&format!("{}, ", column_name));
-        values_str.push_str(&format!("'{}', ", value)); // Surround values with single quotes
+        values_str.push_str(&format!("'{}', ", escaped_value)); // Surround values with single quotes
     }
 
     // Sanitize table name from unwanted quotations or backslashes

njord/src/mysql/insert.rs

@@ -167,8 +167,12 @@ fn generate_statement<T: Table>(table_row: &T, first_statement: bool) -> Result<
             debug!("Skipping AutoIncrementPrimaryKey field in SQL statement generation.");
             continue;
         }
+
+        // Escape single quotes in the value
+        let escaped_value = value.replace("'", "''");
+
         columns_str.push_str(&format!("{}, ", column_name));
-        values_str.push_str(&format!("'{}', ", value)); // Surround values with single quotes
+        values_str.push_str(&format!("'{}', ", escaped_value)); // Surround values with single quotes
     }
 
     // Sanitize table name from unwanted quotations or backslashes

njord/src/oracle/insert.rs

@@ -170,8 +170,12 @@ fn generate_statement<T: Table>(table_row: &T, first_statement: bool) -> Result<
             debug!("Skipping AutoIncrementPrimaryKey field in SQL statement generation.");
             continue;
         }
+
+        // Escape single quotes in the value
+        let escaped_value = value.replace("'", "''");
+
         columns_str.push_str(&format!("{}, ", column_name));
-        values_str.push_str(&format!("'{}', ", value)); // Surround values with single quotes
+        values_str.push_str(&format!("'{}', ", escaped_value)); // Surround values with single quotes
     }
 
     // Sanitize table name from unwanted quotations or backslashes

njord/src/sqlite/insert.rs

@@ -161,8 +161,12 @@ fn generate_statement<T: Table>(table_row: &T, first_statement: bool) -> Result<
             debug!("Skipping AutoIncrementPrimaryKey field in SQL statement generation.");
             continue;
         }
+
+        // Escape single quotes in the value
+        let escaped_value = value.replace("'", "''");
+
         columns_str.push_str(&format!("{}, ", column_name));
-        values_str.push_str(&format!("'{}', ", value)); // Surround values with single quotes
+        values_str.push_str(&format!("'{}', ", escaped_value)); // Surround values with single quotes
     }
 
     // Sanitize table name from unwanted quotations or backslashes

njord/tests/mssql/insert_test.rs

@@ -26,3 +26,27 @@ async fn insert_row() {
         }
     }
 }
+
+#[tokio::test]
+async fn insert_row_with_single_quotes() {
+    let connection_string =
+        "jdbc:sqlserver://localhost;encrypt=true;username=sa;password=Njord_passw0rd;databaseName=NjordDatabase;";
+    let mut conn = mssql::open(connection_string).await;
+
+    let table_row: User = User {
+        id: AutoIncrementPrimaryKey::default(),
+        username: "quote_user".to_string(),
+        email: "quote_user@example.com".to_string(),
+        address: "Some Random 'Address' 1".to_string(),
+    };
+
+    match conn {
+        Ok(ref mut c) => {
+            let result = mssql::insert(c, vec![table_row]).await;
+            assert!(result.is_ok());
+        }
+        Err(e) => {
+            panic!("Failed to INSERT: {:?}", e);
+        }
+    }
+}

njord/tests/mysql/insert_test.rs

@@ -25,3 +25,26 @@ fn insert_row() {
         }
     }
 }
+
+#[test]
+fn insert_row_with_single_quotes() {
+    let url = "mysql://njord_user:njord_password@localhost:3306/njord_db";
+    let mut conn = mysql::open(url);
+
+    let table_row: User = User {
+        id: AutoIncrementPrimaryKey::default(),
+        username: "quote_user".to_string(),
+        email: "quote_user@example.com".to_string(),
+        address: "Some Random 'Address' 1".to_string(),
+    };
+
+    match conn {
+        Ok(ref mut c) => {
+            let result = mysql::insert(c, vec![table_row]);
+            assert!(result.is_ok());
+        }
+        Err(e) => {
+            panic!("Failed to INSERT: {:?}", e);
+        }
+    }
+}

njord/tests/oracle/insert_test.rs

@@ -25,3 +25,26 @@ fn insert_row() {
         }
     }
 }
+
+#[test]
+fn insert_row_with_single_quotes() {
+    let connection_string = "//localhost:1521/FREEPDB1";
+    let mut conn = oracle::open("njord_user", "njord_password", connection_string);
+
+    let table_row: User = User {
+        id: AutoIncrementPrimaryKey::default(),
+        username: "quote_user".to_string(),
+        email: "quote_user@example.com".to_string(),
+        address: "Some Random 'Address' 1".to_string(),
+    };
+
+    match conn {
+        Ok(ref mut c) => {
+            let result = oracle::insert(c, vec![table_row]);
+            assert!(result.is_ok());
+        }
+        Err(e) => {
+            panic!("Failed to INSERT: {:?}", e);
+        }
+    }
+}

njord/tests/sqlite/insert_test.rs

@@ -68,3 +68,27 @@ fn insert_with_sub_query() {
         }
     }
 }
+
+#[test]
+fn insert_row_with_single_quotes() {
+    let db_relative_path = "./db/insert.db";
+    let db_path = Path::new(&db_relative_path);
+    let mut conn = sqlite::open(db_path);
+
+    let table_row: User = User {
+        id: AutoIncrementPrimaryKey::default(),
+        username: "quote_user".to_string(),
+        email: "quote_user@example.com".to_string(),
+        address: "Some Random 'Address' 1".to_string(),
+    };
+
+    match conn {
+        Ok(ref mut c) => {
+            let result = sqlite::insert(c, vec![table_row]);
+            assert!(result.is_ok());
+        }
+        Err(e) => {
+            panic!("Failed to INSERT: {:?}", e);
+        }
+    }
+}