Skip to main content

fraiseql_db/
path_escape.rs

1//! Escape utilities for JSON path SQL injection prevention.
2//!
3//! Different databases have different escaping requirements for JSON paths:
4//! - PostgreSQL: Single quote in JSONB operators -> double it
5//! - MySQL: Single quote in JSON_EXTRACT -> escape with backslash
6//! - SQLite: Single quote in json_extract -> escape with backslash
7//! - SQL Server: Single quote in JSON_VALUE -> double it
8
9/// Escape a single path segment for use in PostgreSQL JSONB operators.
10///
11/// PostgreSQL JSONB operators (->,'->>',->) are literal string operators
12/// where the right operand is interpreted as a JSON key string.
13/// Single quotes within the string must be doubled for SQL escaping.
14///
15/// # Example
16/// ```
17/// use fraiseql_db::path_escape::escape_postgres_jsonb_segment;
18/// assert_eq!(escape_postgres_jsonb_segment("user'name"), "user''name");
19/// assert_eq!(escape_postgres_jsonb_segment("normal"), "normal");
20/// ```
21#[must_use]
22pub fn escape_postgres_jsonb_segment(segment: &str) -> String {
23    segment.replace('\'', "''")
24}
25
26/// Escape a full JSON path for use in PostgreSQL JSONB operators.
27///
28/// # Example
29/// ```
30/// use fraiseql_db::path_escape::escape_postgres_jsonb_path;
31/// let path = vec!["user".to_string(), "name".to_string()];
32/// let result = escape_postgres_jsonb_path(&path);
33/// // Ensures each segment is properly escaped
34/// ```
35#[must_use]
36pub fn escape_postgres_jsonb_path(path: &[String]) -> Vec<String> {
37    path.iter().map(|segment| escape_postgres_jsonb_segment(segment)).collect()
38}
39
40/// Escape a JSON path for MySQL JSON_EXTRACT/JSON_UNQUOTE.
41///
42/// MySQL JSON paths use dot notation: '$.field.subfield'
43/// Single quotes are doubled (`''`) rather than backslash-escaped so that the
44/// path is safe even when the server runs with `NO_BACKSLASH_ESCAPES` mode.
45///
46/// # Example
47/// ```
48/// use fraiseql_db::path_escape::escape_mysql_json_path;
49/// let path = vec!["user".to_string(), "name".to_string()];
50/// let result = escape_mysql_json_path(&path);
51/// assert_eq!(result, "$.user.name");
52/// ```
53#[must_use]
54pub fn escape_mysql_json_path(path: &[String]) -> String {
55    let json_path = path.join(".");
56    // Double single quotes for SQL string literal; safe under NO_BACKSLASH_ESCAPES.
57    format!("$.{}", json_path.replace('\'', "''"))
58}
59
60/// Escape a JSON path for SQLite json_extract.
61///
62/// SQLite JSON paths use dot notation: '$.field.subfield'
63/// Single quotes are doubled (`''`) rather than backslash-escaped so that the
64/// path is safe regardless of SQLite compile-time escape settings.
65#[must_use]
66pub fn escape_sqlite_json_path(path: &[String]) -> String {
67    let json_path = path.join(".");
68    // Double single quotes for SQL string literal; backslash escaping is not
69    // a reliable cross-mode choice for SQLite.
70    format!("$.{}", json_path.replace('\'', "''"))
71}
72
73/// Escape a JSON path for SQL Server JSON_VALUE.
74///
75/// SQL Server JSON paths use dot notation: '$.field.subfield'
76/// Single quotes must be escaped for SQL string literals.
77#[must_use]
78pub fn escape_sqlserver_json_path(path: &[String]) -> String {
79    let json_path = path.join(".");
80    format!("$.{}", json_path.replace('\'', "''"))
81}
82
83#[cfg(test)]
84mod tests;