From 3ce6ec6fffb958453b65ec5f7b0c1c37ad1cd8a2 Mon Sep 17 00:00:00 2001
From: Pooja Pathak <33315652+pooja1pathak@users.noreply.github.com>
Date: Wed, 5 Jun 2024 17:29:16 +0530
Subject: [PATCH] fix for 702 (#759)

---
 RELEASE_NOTES.md                      |  2 ++
 timescale-container/crate-exporter.py | 31 +++++++++++++++++++++------
 2 files changed, 27 insertions(+), 6 deletions(-)

diff --git a/RELEASE_NOTES.md b/RELEASE_NOTES.md
index 070fe18c..55703622 100644
--- a/RELEASE_NOTES.md
+++ b/RELEASE_NOTES.md
@@ -4,6 +4,8 @@
 
 ### New features
 
+- Added escaping in crate-exporter.py (#702)
+
 ### Bug fixes
 
 - Fix to return OK/200 and an empty result set when no data found (#720)
diff --git a/timescale-container/crate-exporter.py b/timescale-container/crate-exporter.py
index cabe0936..636cf944 100644
--- a/timescale-container/crate-exporter.py
+++ b/timescale-container/crate-exporter.py
@@ -67,23 +67,42 @@ def get(self):
 class CrateSql:
     """Crate SQL utilities."""
 
+    @staticmethod
+    def escape_single_quote(x: str) -> str:
+        """
+        Single quote escaping for Postres strings: replace any single quote
+        with two single quotes. E.g. x'y'z ~~~> x''y''z
+        """
+        return x.replace("'", "''")
+
+    @staticmethod
+    def escape_double_quote(x: str) -> str:
+        """
+        Double quote escaping for Postres quoted identifiers: replace any
+        double quote with two double quotes. E.g. x"y"z ~~~> x""y""z
+        """
+        return x.replace('"', '""')
+
     @staticmethod
     def to_string(x) -> str:
         """
-        Convert the input into a Crate string.
+        Convert the input into a Crate string, escaping if needed.
         E.g. input   ~~~> 'input'
+             in'put  ~~~> 'in''put'
         """
-        v = str(x)  # TODO consider escaping?
-        return f"'{v}'"
+        escaped = CrateSql.escape_single_quote(str(x))
+        return f"'{escaped}'"
 
     @staticmethod
     def to_quoted_identifier(x) -> str:
         """
-        Convert the input into a Crate quoted identifier.
+        Convert the input into a Crate quoted identifier, escaping if
+        needed.
         E.g. input   ~~~> "input"
+             in"put  ~~~> "in""put"
         """
-        v = str(x)  # TODO consider escaping?
-        return f'"{v}"'
+        escaped = CrateSql.escape_double_quote(str(x))
+        return f'"{escaped}"'
 
 
 class CrateTableIdentifier: