334ce052f0
Replace string concatenation with parameterized queries in all database connectors to prevent SQL injection through LLM-generated table names. Changes: - PostgreSQL: Use $1, $2 placeholders with pg client parameterization - MySQL: Use ? placeholders with mysql2 execute() prepared statements - MSSQL: Use @p0 placeholders with request.input() parameterization - Update handlers to support parameterized query objects - Add formatQueryForDisplay() for logging parameterized queries Security: Mitigates potential SQL injection when LLM passes unsanitized user input as table_name parameter to getTableSchemaSql/getTablesSql. GHSA-jwjx-mw2p-5wc7 |
||
|---|---|---|
| .. | ||
| SQLConnectors | ||
| get-table-schema.js | ||
| index.js | ||
| list-database.js | ||
| list-table.js | ||
| query.js | ||