test: add sql.lit(string) test case following #1754.

igalklebanov · igalklebanov · commit 054e80174c61 · 2026-03-20T11:30:03.000+02:00
diff --git a/test/node/src/sql-injection.test.ts b/test/node/src/sql-injection.test.ts
@@ -105,6 +105,21 @@ for (const dialect of DIALECTS) {
         await ctx.db.executeQuery(query)
         await assertDidNotDropTable(ctx, 'person')
       })
+
+      it('should not allow SQL injection via backslash escape in string literals', async () => {
+        const injection = `\\'; drop table ${identifierWrapper}person${identifierWrapper}; -- `
+
+        const query = ctx.db
+          .selectFrom('person')
+          .where('first_name', '=', sql.lit(injection))
+          .selectAll()
+
+        expect(query.compile().sql).to.equal(
+          `select * from ${identifierWrapper}person${identifierWrapper} where ${identifierWrapper}first_name${identifierWrapper} = '\\\\''; drop table ${identifierWrapper}person${identifierWrapper}; -- '`,
+        )
+        await ctx.db.executeQuery(query)
+        await assertDidNotDropTable(ctx, 'person')
+      })
     }
   })
 }
