User db307b0d0f fix(security): add SQL injection defense for CREATE DATABASE ...

Add quoteIdentifier() function to safely quote PostgreSQL identifiers
following PostgreSQL's quoting rules (wrap in double quotes, escape
internal quotes by doubling).

This provides defense-in-depth for the CREATE DATABASE statement,
complementing the existing validateDBName() input validation.

Changes:
- Add quoteIdentifier() function with proper escaping
- Use quoted identifier in CREATE DATABASE statement
- Add comprehensive unit tests for quoteIdentifier()

2026-04-16 20:28:36 +08:00

3.2 KiB

Raw Blame History

View Raw