From 4cb4b855bf4a30795a5000b3d1ea63ca5b555967 Mon Sep 17 00:00:00 2001 From: Bjarne von Horn Date: Sun, 4 Aug 2024 00:47:12 +0200 Subject: [PATCH] Use backticks to enquote SQL identifiers Using double quotes had the disadvantage that unknown column names were silently changed to a string literal in WHERE statements. This can be avoided by using backticks. Fixes #43 --- include/warehouse_ros_sqlite/utils.hpp | 2 +- test/DatabaseConnection.cpp | 17 +++++++++++++++++ 2 files changed, 18 insertions(+), 1 deletion(-) diff --git a/include/warehouse_ros_sqlite/utils.hpp b/include/warehouse_ros_sqlite/utils.hpp index e5c1d9c..3255fb3 100644 --- a/include/warehouse_ros_sqlite/utils.hpp +++ b/include/warehouse_ros_sqlite/utils.hpp @@ -104,7 +104,7 @@ using escaped_columnname = std::string; using escaped_tablename = std::string; inline std::string escape_identifier(const std::string & s) { - return "\"" + detail::escape<'"'>(s) + "\""; + return "`" + detail::escape<'`'>(s) + "`"; } inline escaped_columnname escape_columnname_with_prefix(const std::string & c) { diff --git a/test/DatabaseConnection.cpp b/test/DatabaseConnection.cpp index 51f93fd..5d7b5f3 100644 --- a/test/DatabaseConnection.cpp +++ b/test/DatabaseConnection.cpp @@ -439,6 +439,23 @@ TEST_F(ConnectionTest, appendGTE) } } +TEST_F(ConnectionTest, BacktickInMeta) +{ + auto coll = conn_->openCollection("test_db", "test_collection_backtick"); + + auto metadata = coll.createMetadata(); + metadata->append("test_`metadata", 5.0); + + geometry_msgs::msg::Point msg = {}; + coll.insert(msg, metadata); + + { + auto query = coll.createQuery(); + query->appendGTE("test_`metadata", 4.0); + EXPECT_EQ(coll.queryList(query).size(), 1); + } +} + TEST(Utils, Md5Validation) { const char * a = "4a842b65f413084dc2b10fb484ea7f17";