Incorrect escaping of identifiers

[ori-shalom]

One of the main reasons I would like to use loukoum is the claim to handle SQL injection in the builder pattern (quoting table and column names, escaping etc.)

While the idea is great and has a unique value compared to other SQL builder libraries seems like the escaping logic is wrong.

Currently, the quoting logic that escapes quotes using a backslash (\") while the correct way to escape double quotes is by using two double quotes ("").

https://www.postgresql.org/docs/current/sql-syntax-lexical.html#:~:text=To%20include%20a%20double%20quote%2C%20write%20two%20double%20quotes

The code that has the issue:

loukoum/stmt/stmt.go

Lines 19 to 26 in 1a6e491

	func quote(ident string) string {
	split := strings.Split(ident, ".")
	quoted := make([]string, 0, len(split))
	for i := range split {
	quoted = append(quoted, strconv.Quote(split[i]))
	}
	return strings.Join(quoted, ".")
	}

I would expect the quoting to use the following Sanitize method from the pgx driver:
https://github.com/jackc/pgx/blob/8b9b4055f3b679999adde4a0ab44eb6e1ea536c7/conn.go#L80-L92

Note it also handles zero bytes.

[thoas]

thank you for the report @ori-shalom!

We will take this issue in the next few weeks (french holidays), in the meantime if you want to send us a PR, you are welcome!