Internal commands should use statements with parameters, or correctly escape values
CodingDoug opened this issue · comments
Create and populate a table with a name that includes a single quote:
→ create table [asdf'asdf] (t text);
→ insert into [asdf'asdf] values ('x');
→ select * from [asdf'asdf];
T
x
→ .dump
...
Error: failed to execute SQL: SELECT SQL FROM sqlite_master WHERE TBL_NAME='asdf'asdf'
syntax error around L1:56: `asdf`
Internally, this is how the SQL command is built:
fmt.Sprintf("SELECT SQL FROM sqlite_master WHERE TBL_NAME='%s'", tableName),