Quote table and column identifiers using SQLAlchemy dialect preparer when adding missing columns to avoid SQL injection and syntax errors.

2026-04-16 06:43:03 +03:00 · 2026-04-16 06:43:03 +03:00 · 9a56b29e0e
parent 42f9460369
commit 9a56b29e0e
1 changed files with 4 additions and 1 deletions
--- a/src/modules/DashboardConfig.py
+++ b/src/modules/DashboardConfig.py
@ -146,7 +146,10 @@ class DashboardConfig:
                        if col_name not in existing_columns:
                            type_str = col_type().compile(dialect=self.engine.dialect)
                            current_app.logger.info(f"Adding missing column '{col_name}' to table '{table_name}'")
-                            conn.execute(db.text(f'ALTER TABLE "{table_name}" ADD COLUMN "{col_name}" {type_str}'))
+                            preparer = self.engine.dialect.identifier_preparer
+                            quoted_table = preparer.quote_identifier(table_name)
+                            quoted_column = preparer.quote_identifier(col_name)
+                            conn.execute(db.text(f"ALTER TABLE {quoted_table} ADD COLUMN {quoted_column} {type_str}"))

    def getConnectionString(self, database) -> str or None:
        sqlitePath = os.path.join(DashboardConfig.ConfigurationPath, "db")