feat: escape single quotes in string literals.

[igalklebanov]

Hey 👋

closes #1124.

This PR introduces some string literal SQL injection denial in the form of escaping ' to deny the most common string literal attacks:

-- when sql.lit(`'; drop table users --`)
where column = ''; drop table users --'
-- when sql.lit(`' or 1=1 --`)
where column = '' or 1=1 --'

and make them:

-- when sql.lit(`'; drop table users --`)
where column = '''; drop table users --'
-- when sql.lit(`' or 1=1 --`)
where column = ''' or 1=1 --'

If you find any additional measures we could take, please submit an issue OR swing by the Discord.
Some things are out of bounds, like SQL parsing, semantic checks, etc.

[vercel]

The latest updates on your projects. Learn more about Vercel for Git ↗︎

Name	Status	Preview	Comments	Updated (UTC)
kysely	✅ Ready (Inspect)	Visit Preview	💬 Add feedback	Apr 6, 2025 9:19pm

[pkg-pr-new]

kysely_koa_example

npm i https://pkg.pr.new/kysely-org/kysely@1392

commit: 5a7952a

[igalklebanov]

• Need to handle strings with ' already being escaped.

• Possibly find a way to opt-out of sanitation.

[koskimas]

LGTM

As discussed in discord, check if already escaped strings could be supported.

[igalklebanov]

@koskimas I wonder if we should add an easy opt-out mechanism in case we did something wrong, and until we fix it. The cheapest (no API changes to dialects and compilers) would be a Kysely-specific environment variable check - but that might be inconvenient to Deno users (might make --allow-env a requirement suddenly). Should we break things and make it part of APIs?

I'm also unsure about the "already escaped literals" problem. Is it a problem? what if the literal is not escaped, just has a bunch of 's grouped together? Can we tell?

[koskimas]

If it's not easy to avoid, let's just forget about it. It's really a niche problem that might not affect anyone.

Let's not do any opt-out or anything. We've done bigger changes with only the hope that it doesn't affect anyone 😅