From 69fcb4633334e5d366529f40ce63c29b272d2522 Mon Sep 17 00:00:00 2001
From: Jack Christensen <jack@jackchristensen.com>
Date: Sat, 9 Mar 2024 12:14:44 -0600
Subject: [PATCH] Use spaces instead of parentheses for SQL sanitization.

This still solves the problem of negative numbers creating a line
comment, but this avoids breaking edge cases such as `set foo to $1`
where the substition is taking place in a location where an arbitrary
expression is not allowed.
---
 internal/sanitize/sanitize.go      |  2 +-
 internal/sanitize/sanitize_test.go | 22 +++++++++++-----------
 2 files changed, 12 insertions(+), 12 deletions(-)

diff --git a/internal/sanitize/sanitize.go b/internal/sanitize/sanitize.go
index 4c345d508..614a8f8f4 100644
--- a/internal/sanitize/sanitize.go
+++ b/internal/sanitize/sanitize.go
@@ -61,7 +61,7 @@ func (q *Query) Sanitize(args ...interface{}) (string, error) {
 
 			// Prevent SQL injection via Line Comment Creation
 			// https://github.com/jackc/pgx/security/advisories/GHSA-m7wr-2xf7-cm9p
-			str = "(" + str + ")"
+			str = " " + str + " "
 		default:
 			return "", fmt.Errorf("invalid Part type: %T", part)
 		}
diff --git a/internal/sanitize/sanitize_test.go b/internal/sanitize/sanitize_test.go
index cc55ed3a2..09a2be1ec 100644
--- a/internal/sanitize/sanitize_test.go
+++ b/internal/sanitize/sanitize_test.go
@@ -132,57 +132,57 @@ func TestQuerySanitize(t *testing.T) {
 		{
 			query:    sanitize.Query{Parts: []sanitize.Part{"select ", 1}},
 			args:     []interface{}{int64(42)},
-			expected: `select (42)`,
+			expected: `select  42 `,
 		},
 		{
 			query:    sanitize.Query{Parts: []sanitize.Part{"select ", 1}},
 			args:     []interface{}{float64(1.23)},
-			expected: `select (1.23)`,
+			expected: `select  1.23 `,
 		},
 		{
 			query:    sanitize.Query{Parts: []sanitize.Part{"select ", 1}},
 			args:     []interface{}{true},
-			expected: `select (true)`,
+			expected: `select  true `,
 		},
 		{
 			query:    sanitize.Query{Parts: []sanitize.Part{"select ", 1}},
 			args:     []interface{}{[]byte{0, 1, 2, 3, 255}},
-			expected: `select ('\x00010203ff')`,
+			expected: `select  '\x00010203ff' `,
 		},
 		{
 			query:    sanitize.Query{Parts: []sanitize.Part{"select ", 1}},
 			args:     []interface{}{nil},
-			expected: `select (null)`,
+			expected: `select  null `,
 		},
 		{
 			query:    sanitize.Query{Parts: []sanitize.Part{"select ", 1}},
 			args:     []interface{}{"foobar"},
-			expected: `select ('foobar')`,
+			expected: `select  'foobar' `,
 		},
 		{
 			query:    sanitize.Query{Parts: []sanitize.Part{"select ", 1}},
 			args:     []interface{}{"foo'bar"},
-			expected: `select ('foo''bar')`,
+			expected: `select  'foo''bar' `,
 		},
 		{
 			query:    sanitize.Query{Parts: []sanitize.Part{"select ", 1}},
 			args:     []interface{}{`foo\'bar`},
-			expected: `select ('foo\''bar')`,
+			expected: `select  'foo\''bar' `,
 		},
 		{
 			query:    sanitize.Query{Parts: []sanitize.Part{"insert ", 1}},
 			args:     []interface{}{time.Date(2020, time.March, 1, 23, 59, 59, 999999999, time.UTC)},
-			expected: `insert ('2020-03-01 23:59:59.999999Z')`,
+			expected: `insert  '2020-03-01 23:59:59.999999Z' `,
 		},
 		{
 			query:    sanitize.Query{Parts: []sanitize.Part{"select 1-", 1}},
 			args:     []interface{}{int64(-1)},
-			expected: `select 1-(-1)`,
+			expected: `select 1- -1 `,
 		},
 		{
 			query:    sanitize.Query{Parts: []sanitize.Part{"select 1-", 1}},
 			args:     []interface{}{float64(-1)},
-			expected: `select 1-(-1)`,
+			expected: `select 1- -1 `,
 		},
 	}