From f9cdd2da722740dd7b3f15a27bf713a253f404dc Mon Sep 17 00:00:00 2001
From: Raymond <32004098+tang2087@users.noreply.github.com>
Date: Wed, 11 Sep 2024 20:53:39 +1000
Subject: [PATCH] fix: sql injection for schema (but not sql run as it is
 designed for that). (#56)

---
 .../services/_data_provider_service/_provider.py            | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/kontext_copilot/services/_data_provider_service/_provider.py b/kontext_copilot/services/_data_provider_service/_provider.py
index e9bea2b..f29abac 100644
--- a/kontext_copilot/services/_data_provider_service/_provider.py
+++ b/kontext_copilot/services/_data_provider_service/_provider.py
@@ -11,6 +11,9 @@
     DataSourceModel,
     SchemaTablesModel,
 )
+from kontext_copilot.utils import get_logger
+
+logger = get_logger()
 
 
 class BaseProvider(ABC):
@@ -210,7 +213,8 @@ def run_sql(
         """
         with self.engine.connect() as conn:
             if schema is not None:
-                conn.execute(f"USE {schema}")
+                conn.execute(text("USE :schema"), {"schema": schema})
+            logger.debug(f"Executing SQL: {sql}")
             statement = text(sql)
             result = conn.execute(statement=statement)
             if result.returns_rows == False: