From 7c2b1398258c35a88c2f80db922d28d29df5c15d Mon Sep 17 00:00:00 2001 From: kolaente Date: Wed, 17 Jun 2026 13:55:50 +0200 Subject: [PATCH] fix(db): interpolate table identifiers in truncate instead of binding them MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit MySQL/MariaDB/Postgres cannot bind a table name as a ? placeholder, so the non-SQLite branch failed with a syntax error. Interpolate the already-validated identifier with x.Quote (per-dialect quoting) instead. validateTableName restricts to registered table names, so this is injection-safe — the same trust model the SQLite branch already relies on. Latent bug surfaced by the new cross-engine testing webtest, which is the first to exercise this path on MySQL/MariaDB. --- pkg/db/dump.go | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pkg/db/dump.go b/pkg/db/dump.go index 1d9f803b9..be345e173 100644 --- a/pkg/db/dump.go +++ b/pkg/db/dump.go @@ -127,7 +127,7 @@ func RestoreAndTruncate(table string, contents []map[string]interface{}) (err er return err } } else { - if _, err := x.Query("TRUNCATE TABLE ?", table); err != nil { + if _, err := x.Query("TRUNCATE TABLE " + x.Quote(table)); err != nil { return err } } @@ -148,7 +148,7 @@ func TruncateAllTables() error { return err } } else { - if _, err := x.Query("TRUNCATE TABLE ?", name); err != nil { + if _, err := x.Query("TRUNCATE TABLE " + x.Quote(name)); err != nil { return err } }