Identifier quote escaping #768
Description
SQL identifier names are not being escaped, thus enabling SQL injection attacks.
Here is a minimal example to reproduce:
import pypika
table = pypika.Table('my_table"--')
field = getattr(table, 'my_field"--')
builder = (
pypika.Query.from_(table, dialect=pypika.Dialects.POSTGRESQL)
.select(field)
.where(table.name == "value'")
)
print(builder)This code produces the following SQL, where single quotes are correctly being escaped but double quotes are not:
SELECT "my_field"--" FROM "my_table"--" WHERE "name"='value'''