fix(io): sql lookup unsafe string (#3930)

ngjaying · ngjaying · commit 64c4844fe006 · 2025-11-21T15:53:25.000+08:00
Signed-off-by: Jiyong Huang &lt;huangjy@emqx.io&gt;
diff --git a/extensions/impl/sql/lookupSource.go b/extensions/impl/sql/lookupSource.go
@@ -181,7 +181,7 @@ func (g defaultSQLGen) buildQuery(fields []string, keys []string, values []inter
 		}
 		switch v := values[i].(type) {
 		case string:
-			query += fmt.Sprintf("`%s` = '%s'", k, v)
+			query += fmt.Sprintf("`%s` = '%s'", k, strings.ReplaceAll(v, "'", "''"))
 		default:
 			query += fmt.Sprintf("`%s` = %v", k, v)
 		}
@@ -210,7 +210,7 @@ func (g noQuoteSQLGen) buildQuery(fields []string, keys []string, values []inter
 		}
 		switch v := values[i].(type) {
 		case string:
-			query += fmt.Sprintf("%s = '%s'", k, v)
+			query += fmt.Sprintf("%s = '%s'", k, strings.ReplaceAll(v, "'", "''"))
 		default:
 			query += fmt.Sprintf("%s = %v", k, v)
 		}

Original file line number	Diff line number	Diff line change
`@@ -181,7 +181,7 @@ func (g defaultSQLGen) buildQuery(fields []string, keys []string, values []inter`
`181`	`181`	`}`
`182`	`182`	`switch v := values[i].(type) {`
`183`	`183`	`case string:`
`184`		- query += fmt.Sprintf("`%s` = '%s'", k, v)
	`184`	+ query += fmt.Sprintf("`%s` = '%s'", k, strings.ReplaceAll(v, "'", "''"))
`185`	`185`	`default:`
`186`	`186`	query += fmt.Sprintf("`%s` = %v", k, v)
`187`	`187`	`}`
`@@ -210,7 +210,7 @@ func (g noQuoteSQLGen) buildQuery(fields []string, keys []string, values []inter`
`210`	`210`	`}`
`211`	`211`	`switch v := values[i].(type) {`
`212`	`212`	`case string:`
`213`		`- query += fmt.Sprintf("%s = '%s'", k, v)`
	`213`	`+ query += fmt.Sprintf("%s = '%s'", k, strings.ReplaceAll(v, "'", "''"))`
`214`	`214`	`default:`
`215`	`215`	`query += fmt.Sprintf("%s = %v", k, v)`
`216`	`216`	`}`