From 2d87a52691abdaf63f52c818b227a80dbd49df0c Mon Sep 17 00:00:00 2001
From: Yanhu007 <huangfuyang900204@gmail.com>
Date: Mon, 13 Apr 2026 06:36:01 +0800
Subject: [PATCH] fix: prevent SQL injection via driver.Valuer error messages

AppendError embeds error messages directly into the SQL query string
without any escaping. A malicious driver.Valuer can return an error
whose message closes the ?!() wrapper and injects arbitrary SQL.

Wrap the error message in single quotes and escape any single quotes
within the message to prevent SQL injection.

Before: ?!(error message here)
After:  ?!('error message here')

Fixes #1307
---
 dialect/append.go | 20 +++++++++++++++++---
 1 file changed, 17 insertions(+), 3 deletions(-)

diff --git a/dialect/append.go b/dialect/append.go
index 8f5485fe3..8d4d9c8e1 100644
--- a/dialect/append.go
+++ b/dialect/append.go
@@ -8,9 +8,23 @@ import (
 )
 
 func AppendError(b []byte, err error) []byte {
-	b = append(b, "?!("...)
-	b = append(b, err.Error()...)
-	b = append(b, ')')
+	b = append(b, "?!('"...)
+	b = appendSanitizedError(b, err.Error())
+	b = append(b, "')"...)
+	return b
+}
+
+// appendSanitizedError escapes single quotes in error messages to prevent
+// SQL injection when driver.Valuer returns an error that gets embedded in
+// the query string.
+func appendSanitizedError(b []byte, s string) []byte {
+	for i := 0; i < len(s); i++ {
+		if s[i] == '\'' {
+			b = append(b, '\'', '\'')
+		} else {
+			b = append(b, s[i])
+		}
+	}
 	return b
 }