@@ -1006,25 +1006,20 @@ export function validateGoogleCalendarId(
10061006}
10071007
10081008/**
1009- * Sanitizes a SQL identifier by escaping single quotes
1009+ * Escapes a value for use in single-quoted SQL string contexts
10101010 *
1011- * This function escapes single quotes by doubling them (PostgreSQL/MySQL standard)
1012- * to prevent SQL injection while allowing all valid identifier names.
1011+ * Escapes single quotes by doubling them (SQL standard: `'` → `''`).
1012+ * This prevents SQL injection because `''` inside a single-quoted string
1013+ * represents a literal quote character, keeping the entire value as one string.
10131014 *
1014- * @param name - The identifier name to sanitize
1015- * @param maxLength - Maximum length allowed (default: 63 for PostgreSQL)
1016- * @returns The sanitized identifier
1017- * @throws Error if name is empty or exceeds maxLength
1018- *
1019- * @example
1020- * ```typescript
1021- * const safeSchema = sanitizeSqlIdentifier(schema)
1022- * const query = `SELECT * FROM ${safeSchema}.users`
1023- * ```
1015+ * @param value - The value to escape
1016+ * @param maxLength - Maximum length allowed (default: 63)
1017+ * @returns The escaped value safe for single-quoted SQL strings
1018+ * @throws Error if value is empty or exceeds maxLength
10241019 */
1025- export function sanitizeSqlIdentifier ( name : string , maxLength = 63 ) : string {
1026- if ( ! name || name . length > maxLength ) {
1027- throw new Error ( `Invalid identifier : ${ name } )
1020+ export function escapeSqlString ( value : string , maxLength = 63 ) : string {
1021+ if ( ! value || value . length > maxLength ) {
1022+ throw new Error ( `Invalid value : ${ value } )
10281023 }
1029- return name . replace ( / ' / g, "''" )
1024+ return value . replace ( / ' / g, "''" )
10301025}
0 commit comments