[qwertydog]

Just checked out the MS SQL script. I believe it's vulnerable to SQL injection via table/column/view/index/schema names (however unlikely that may be). You might want a disclaimer not to run the script with object names that could be user provided (especially as a privileged user)

[Jonathanfishner]

Thanks for pointing that out! Just to clarify, we provide a single, hardcoded query that fetches metadata, with no option for user input. The user only needs to take the generated JSON and use it in a React app that they can also run locally. Since there's no user input involved, SQL injection shouldn't be a concern here. If you see any specific risks, though, I’d love to hear more!

[qwertydog]

Ah sorry my bad, I should have read the full script. The script fails though if object names contain double quotes e.g. https://dbfiddle.uk/y-C6Da07

[Jonathanfishner]

Thanks for catching that! I’ve fixed it for you here: https://dbfiddle.uk/F2vuGKVS. I also tested the export script with a table name like "table", and it worked. If you don’t mind, could you open an issue in our repo? I’ll work on pushing a full fix today.

[qwertydog]

Just saw this. I see you've already pushed a fix on GitHub thanks. I can't see object ID's being included in the script, so I assume multiple objects with similar names will all be treated as the "same" object e.g. https://dbfiddle.uk/O_yZLjpN