I suspect the escaping of constant sql strings is not fully safe
I think \ needs escaping too or else it can be used to escape a single quote
select().from(MyTable).where(MyTable.field === "\\'; drop bobby tables".const)
As long as const strings are not used for user values this shouldn't ever be a problem
Don't know if this is an issue for DB2 but it would be for MySQL: https://dev.mysql.com/doc/refman/5.7/en/string-literals.html
I suspect the escaping of constant sql strings is not fully safe
I think
\needs escaping too or else it can be used to escape a single quoteselect().from(MyTable).where(MyTable.field === "\\'; drop bobby tables".const)As long as const strings are not used for user values this shouldn't ever be a problem
Don't know if this is an issue for DB2 but it would be for MySQL: https://dev.mysql.com/doc/refman/5.7/en/string-literals.html