TableProApp · datlechin · Dec 29, 2025 · Dec 28, 2025 · Dec 28, 2025 · Dec 28, 2025
diff --git a/TablePro.xcodeproj/project.pbxproj b/TablePro.xcodeproj/project.pbxproj
@@ -253,7 +253,7 @@
 				AUTOMATION_APPLE_EVENTS = NO;
 				"CODE_SIGN_IDENTITY[sdk=macosx*]" = "Apple Development";
 				CODE_SIGN_STYLE = Automatic;
-				CURRENT_PROJECT_VERSION = 9;
+				CURRENT_PROJECT_VERSION = 10;
 				DEVELOPMENT_TEAM = D7HJ5TFYCU;
 				ENABLE_APP_SANDBOX = NO;
 				ENABLE_HARDENED_RUNTIME = YES;
@@ -286,7 +286,7 @@
 				"LD_RUNPATH_SEARCH_PATHS[sdk=macosx*]" = "@executable_path/../Frameworks";
 				LIBRARY_SEARCH_PATHS = "$(PROJECT_DIR)/Libs";
 				MACOSX_DEPLOYMENT_TARGET = 14.6;
-				MARKETING_VERSION = 0.1.9;
+				MARKETING_VERSION = 0.1.10;
 				OTHER_LDFLAGS = (
 					"-force_load",
 					"$(PROJECT_DIR)/Libs/libmariadb.a",
@@ -331,7 +331,7 @@
 				AUTOMATION_APPLE_EVENTS = NO;
 				"CODE_SIGN_IDENTITY[sdk=macosx*]" = "Apple Development";
 				CODE_SIGN_STYLE = Automatic;
-				CURRENT_PROJECT_VERSION = 9;
+				CURRENT_PROJECT_VERSION = 10;
 				DEVELOPMENT_TEAM = D7HJ5TFYCU;
 				ENABLE_APP_SANDBOX = NO;
 				ENABLE_HARDENED_RUNTIME = YES;
@@ -364,7 +364,7 @@
 				"LD_RUNPATH_SEARCH_PATHS[sdk=macosx*]" = "@executable_path/../Frameworks";
 				LIBRARY_SEARCH_PATHS = "$(PROJECT_DIR)/Libs";
 				MACOSX_DEPLOYMENT_TARGET = 14.6;
-				MARKETING_VERSION = 0.1.9;
+				MARKETING_VERSION = 0.1.10;
 				OTHER_LDFLAGS = (
 					"-force_load",
 					"$(PROJECT_DIR)/Libs/libmariadb.a",

diff --git a/TablePro/Core/ChangeTracking/SQLStatementGenerator.swift b/TablePro/Core/ChangeTracking/SQLStatementGenerator.swift
@@ -397,14 +397,8 @@ struct SQLStatementGenerator {
     }
 
     /// Escape characters that can break SQL strings
+    /// Delegates to shared SQLEscaping utility for consistent escaping across the codebase
     private func escapeSQLString(_ str: String) -> String {
-        var result = str
-        result = result.replacingOccurrences(of: "\\", with: "\\\\")  // Backslash first
-        result = result.replacingOccurrences(of: "'", with: "''")    // Single quote
-        result = result.replacingOccurrences(of: "\n", with: "\\n")  // Newline
-        result = result.replacingOccurrences(of: "\r", with: "\\r")  // Carriage return
-        result = result.replacingOccurrences(of: "\t", with: "\\t")  // Tab
-        result = result.replacingOccurrences(of: "\0", with: "\\0")  // Null byte
-        return result
+        SQLEscaping.escapeStringLiteral(str)
     }
 }
diff --git a/TablePro/Core/Database/MySQLDriver.swift b/TablePro/Core/Database/MySQLDriver.swift
@@ -288,7 +288,16 @@ final class MySQLDriver: DatabaseDriver {
     }
 
     func fetchTableDDL(table: String) async throws -> String {
-        let query = "SHOW CREATE TABLE `\(table)`"
+        // The `table` argument must be a valid MySQL/MariaDB table identifier, optionally
+        // schema-qualified, and is interpolated verbatim into the query. Examples:
+        //   - "users"
+        //   - "`mydb`.`users`"
+        //   - "`users`"
+        //
+        // This method does not add any quoting or escaping around `table`. It is the
+        // caller's responsibility to provide a correctly formatted and safely quoted
+        // identifier when needed.
+        let query = "SHOW CREATE TABLE \(table)"
         let result = try await execute(query: query)
 
         // SHOW CREATE TABLE returns 2 columns: Table name and Create Table statement

diff --git a/TablePro/Core/Database/SQLEscaping.swift b/TablePro/Core/Database/SQLEscaping.swift
@@ -0,0 +1,62 @@
+//
+//  SQLEscaping.swift
+//  TablePro
+//
+//  Shared utilities for SQL string escaping to prevent SQL injection.
+//  Used across ExportService, SQLStatementGenerator, and other SQL-generating code.
+//
+
+import Foundation
+
+/// Centralized SQL escaping utilities to prevent SQL injection vulnerabilities
+enum SQLEscaping {
+
+    /// Escape a string value for use in SQL string literals (VALUES, WHERE clauses, etc.)
+    ///
+    /// Handles the following special characters:
+    /// - Backslashes (must be escaped first to avoid double-escaping)
+    /// - Single quotes (SQL standard: doubled)
+    /// - Control characters: null, backspace, tab, newline, form feed, carriage return
+    /// - MySQL EOF marker (\x1A) which can cause parsing issues
+    ///
+    /// Example:
+    /// ```swift
+    /// let safe = SQLEscaping.escapeStringLiteral("O'Brien\\test")
+    /// // Result: "O''Brien\\\\test"
+    /// let sql = "INSERT INTO users (name) VALUES ('\(safe)')"
+    /// ```
+    ///
+    /// - Parameter str: The raw string to escape
+    /// - Returns: The escaped string safe for use in SQL string literals
+    static func escapeStringLiteral(_ str: String) -> String {
+        var result = str
+        // IMPORTANT: Escape backslashes FIRST to avoid double-escaping
+        result = result.replacingOccurrences(of: "\\", with: "\\\\")
+        // Single quote: SQL standard escaping (double the quote)
+        result = result.replacingOccurrences(of: "'", with: "''")
+        // Common control characters
+        result = result.replacingOccurrences(of: "\n", with: "\\n")
+        result = result.replacingOccurrences(of: "\r", with: "\\r")
+        result = result.replacingOccurrences(of: "\t", with: "\\t")
+        result = result.replacingOccurrences(of: "\0", with: "\\0")
+        // Additional control characters that can cause issues
+        result = result.replacingOccurrences(of: "\u{08}", with: "\\b")  // Backspace
+        result = result.replacingOccurrences(of: "\u{0C}", with: "\\f")  // Form feed
+        result = result.replacingOccurrences(of: "\u{1A}", with: "\\Z")  // MySQL EOF marker (Ctrl+Z)
+        return result
+    }
+
+    /// Escape wildcards in LIKE patterns while preserving intentional wildcards
+    ///
+    /// This is useful when building LIKE clauses where the search term should be treated literally.
+    ///
+    /// - Parameter value: The value to escape
+    /// - Returns: The escaped value with %, _, and \ escaped
+    static func escapeLikeWildcards(_ value: String) -> String {
+        var result = value
+        result = result.replacingOccurrences(of: "\\", with: "\\\\")
+        result = result.replacingOccurrences(of: "%", with: "\\%")
+        result = result.replacingOccurrences(of: "_", with: "\\_")
+        return result
+    }
+}
diff --git a/TablePro/Core/Services/CreateTableService.swift b/TablePro/Core/Services/CreateTableService.swift
@@ -545,15 +545,9 @@ struct CreateTableService {
     }
 
     /// Escape characters that can break SQL strings
+    /// Delegates to shared SQLEscaping utility for consistent escaping across the codebase
     private func escapeSQLString(_ str: String) -> String {
-        var result = str
-        result = result.replacingOccurrences(of: "\\", with: "\\\\")  // Backslash first
-        result = result.replacingOccurrences(of: "'", with: "''")    // Single quote (SQL standard)
-        result = result.replacingOccurrences(of: "\n", with: "\\n")  // Newline
-        result = result.replacingOccurrences(of: "\r", with: "\\r")  // Carriage return
-        result = result.replacingOccurrences(of: "\t", with: "\\t")  // Tab
-        result = result.replacingOccurrences(of: "\0", with: "\\0")  // Null byte
-        return result
+        SQLEscaping.escapeStringLiteral(str)
     }
 }