wip

Author: datlechin

TablePro/Core/ChangeTracking/SQLStatementGenerator.swift

@@ -397,14 +397,8 @@ struct SQLStatementGenerator {
     }
 
     /// Escape characters that can break SQL strings
+    /// Delegates to shared SQLEscaping utility for consistent escaping across the codebase
     private func escapeSQLString(_ str: String) -> String {
-        var result = str
-        result = result.replacingOccurrences(of: "\\", with: "\\\\")  // Backslash first
-        result = result.replacingOccurrences(of: "'", with: "''")    // Single quote
-        result = result.replacingOccurrences(of: "\n", with: "\\n")  // Newline
-        result = result.replacingOccurrences(of: "\r", with: "\\r")  // Carriage return
-        result = result.replacingOccurrences(of: "\t", with: "\\t")  // Tab
-        result = result.replacingOccurrences(of: "\0", with: "\\0")  // Null byte
-        return result
+        SQLEscaping.escapeStringLiteral(str)
     }
 }

TablePro/Core/Database/SQLEscaping.swift

@@ -0,0 +1,57 @@
+//
+//  SQLEscaping.swift
+//  TablePro
+//
+//  Shared utilities for SQL string escaping to prevent SQL injection.
+//  Used across ExportService, SQLStatementGenerator, and other SQL-generating code.
+//
+
+import Foundation
+
+/// Centralized SQL escaping utilities to prevent SQL injection vulnerabilities
+enum SQLEscaping {
+
+    /// Escape a string value for use in SQL string literals (VALUES, WHERE clauses, etc.)
+    ///
+    /// Handles the following special characters:
+    /// - Backslashes (must be escaped first to avoid double-escaping)
+    /// - Single quotes (SQL standard: doubled)
+    /// - Newlines, carriage returns, tabs, null bytes
+    ///
+    /// Example:
+    /// ```swift
+    /// let safe = SQLEscaping.escapeStringLiteral("O'Brien\\test")
+    /// // Result: "O''Brien\\\\test"
+    /// let sql = "INSERT INTO users (name) VALUES ('\(safe)')"
+    /// ```
+    ///
+    /// - Parameter str: The raw string to escape
+    /// - Returns: The escaped string safe for use in SQL string literals
+    static func escapeStringLiteral(_ str: String) -> String {
+        var result = str
+        // IMPORTANT: Escape backslashes FIRST to avoid double-escaping
+        result = result.replacingOccurrences(of: "\\", with: "\\\\")
+        // Single quote: SQL standard escaping (double the quote)
+        result = result.replacingOccurrences(of: "'", with: "''")
+        // Control characters
+        result = result.replacingOccurrences(of: "\n", with: "\\n")
+        result = result.replacingOccurrences(of: "\r", with: "\\r")
+        result = result.replacingOccurrences(of: "\t", with: "\\t")
+        result = result.replacingOccurrences(of: "\0", with: "\\0")
+        return result
+    }
+
+    /// Escape wildcards in LIKE patterns while preserving intentional wildcards
+    ///
+    /// This is useful when building LIKE clauses where the search term should be treated literally.
+    ///
+    /// - Parameter value: The value to escape
+    /// - Returns: The escaped value with %, _, and \ escaped
+    static func escapeLikeWildcards(_ value: String) -> String {
+        var result = value
+        result = result.replacingOccurrences(of: "\\", with: "\\\\")
+        result = result.replacingOccurrences(of: "%", with: "\\%")
+        result = result.replacingOccurrences(of: "_", with: "\\_")
+        return result
+    }
+}

TablePro/Core/Services/CreateTableService.swift

@@ -545,15 +545,9 @@ struct CreateTableService {
     }
 
     /// Escape characters that can break SQL strings
+    /// Delegates to shared SQLEscaping utility for consistent escaping across the codebase
     private func escapeSQLString(_ str: String) -> String {
-        var result = str
-        result = result.replacingOccurrences(of: "\\", with: "\\\\")  // Backslash first
-        result = result.replacingOccurrences(of: "'", with: "''")    // Single quote (SQL standard)
-        result = result.replacingOccurrences(of: "\n", with: "\\n")  // Newline
-        result = result.replacingOccurrences(of: "\r", with: "\\r")  // Carriage return
-        result = result.replacingOccurrences(of: "\t", with: "\\t")  // Tab
-        result = result.replacingOccurrences(of: "\0", with: "\\0")  // Null byte
-        return result
+        SQLEscaping.escapeStringLiteral(str)
     }
 }
 

TablePro/Core/Services/ExportService.swift

@@ -343,22 +343,34 @@ final class ExportService: ObservableObject {
     }
 
     private func escapeCSVField(_ field: String, options: CSVExportOptions) -> String {
+        var processed = field
+
+        // Sanitize formula-like prefixes to prevent CSV formula injection
+        // Values starting with these characters can be executed as formulas in Excel/LibreOffice
+        if options.sanitizeFormulas {
+            let dangerousPrefixes: [Character] = ["=", "+", "-", "@", "\t", "\r"]
+            if let first = processed.first, dangerousPrefixes.contains(first) {
+                // Prefix with single quote - Excel/LibreOffice treats this as text
+                processed = "'" + processed
+            }
+        }
+
         switch options.quoteHandling {
         case .always:
-            let escaped = field.replacingOccurrences(of: "\"", with: "\"\"")
+            let escaped = processed.replacingOccurrences(of: "\"", with: "\"\"")
             return "\"\(escaped)\""
         case .never:
-            return field
+            return processed
         case .asNeeded:
-            let needsQuotes = field.contains(options.delimiter.actualValue) ||
-                              field.contains("\"") ||
-                              field.contains("\n") ||
-                              field.contains("\r")
+            let needsQuotes = processed.contains(options.delimiter.actualValue) ||
+                              processed.contains("\"") ||
+                              processed.contains("\n") ||
+                              processed.contains("\r")
             if needsQuotes {
-                let escaped = field.replacingOccurrences(of: "\"", with: "\"\"")
+                let escaped = processed.replacingOccurrences(of: "\"", with: "\"\"")
                 return "\"\(escaped)\""
             }
-            return field
+            return processed
         }
     }
 
@@ -416,7 +428,7 @@ final class ExportService: ObservableObject {
                             isFirstField = false
 
                             let escapedKey = escapeJSONString(column)
-                            let jsonValue = formatJSONValue(value)
+                            let jsonValue = formatJSONValue(value, preserveAsString: config.jsonOptions.preserveAllAsStrings)
                             try fileHandle.write(contentsOf: "\"\(escapedKey)\": \(jsonValue)".toUTF8Data())
                         }
                     }
@@ -462,9 +474,18 @@ final class ExportService: ObservableObject {
     }
 
     /// Format a value for JSON output
-    private func formatJSONValue(_ value: String?) -> String {
+    /// - Parameters:
+    ///   - value: The value to format
+    ///   - preserveAsString: If true, always output as string without type detection
+    ///                       (preserves leading zeros in ZIP codes, phone numbers, etc.)
+    private func formatJSONValue(_ value: String?, preserveAsString: Bool) -> String {
         guard let val = value else { return "null" }
 
+        // If preserving all as strings, skip type detection
+        if preserveAsString {
+            return "\"\(escapeJSONString(val))\""
+        }
+
         // Try to detect numbers and booleans
         if let intVal = Int(val) {
             return String(intVal)
@@ -614,8 +635,8 @@ final class ExportService: ObservableObject {
 
             let values = row.map { value -> String in
                 guard let val = value else { return "NULL" }
-                // Escape single quotes by doubling them
-                let escaped = val.replacingOccurrences(of: "'", with: "''")
+                // Use proper SQL escaping to prevent injection (handles backslashes, quotes, etc.)
+                let escaped = SQLEscaping.escapeStringLiteral(val)
                 return "'\(escaped)'"
             }.joined(separator: ", ")
 
@@ -646,8 +667,6 @@ final class ExportService: ObservableObject {
             process.arguments = ["-c", source.path]
 
             let outputFile = try FileHandle(forWritingTo: destination)
-            defer {
-                try? outputFile.close()
             defer {
                 try? outputFile.close()
             }

TablePro/Models/ExportModels.swift

@@ -100,6 +100,10 @@ struct CSVExportOptions: Equatable {
     var quoteHandling: CSVQuoteHandling = .asNeeded
     var lineBreak: CSVLineBreak = .lf
     var decimalFormat: CSVDecimalFormat = .period
+    /// Sanitize formula-like values to prevent CSV formula injection attacks.
+    /// When enabled, values starting with =, +, -, @, tab, or carriage return
+    /// are prefixed with a single quote to prevent execution in spreadsheet applications.
+    var sanitizeFormulas: Bool = true
 }
 
 // MARK: - JSON Options
@@ -108,6 +112,9 @@ struct CSVExportOptions: Equatable {
 struct JSONExportOptions: Equatable {
     var prettyPrint: Bool = true
     var includeNullValues: Bool = true
+    /// When enabled, all values are exported as strings without type detection.
+    /// This preserves leading zeros in ZIP codes, phone numbers, and similar data.
+    var preserveAllAsStrings: Bool = false
 }
 
 // MARK: - SQL Options

TablePro/Views/Export/ExportCSVOptionsView.swift

@@ -24,6 +24,10 @@ struct ExportCSVOptionsView: View {
 
                 Toggle("Put field names in the first row", isOn: $options.includeFieldNames)
                     .toggleStyle(.checkbox)
+
+                Toggle("Sanitize formula-like values", isOn: $options.sanitizeFormulas)
+                    .toggleStyle(.checkbox)
+                    .help("Prevent CSV formula injection by prefixing values starting with =, +, -, @ with a single quote")
             }
 
             Divider()

TablePro/Views/Export/ExportDialog.swift

@@ -278,7 +278,7 @@ struct ExportDialog: View {
             }
             .buttonStyle(.borderedProminent)
             .keyboardShortcut(.return, modifiers: [])
-            .disabled(selectedCount == 0 || isExporting)
+            .disabled(selectedCount == 0 || isExporting || !isFileNameValid)
         }
         .padding(.horizontal, 16)
         .padding(.vertical, 12)
@@ -301,6 +301,21 @@ struct ExportDialog: View {
         return config.format.fileExtension
     }
 
+    /// Validates that the filename is not empty and contains no invalid filesystem characters
+    private var isFileNameValid: Bool {
+        let name = config.fileName.trimmingCharacters(in: .whitespaces)
+        guard !name.isEmpty else { return false }
+
+        // Invalid filesystem characters (covers macOS, Windows, and Linux)
+        let invalidChars = CharacterSet(charactersIn: "/\\:*?\"<>|")
+        guard name.rangeOfCharacter(from: invalidChars) == nil else { return false }
+
+        // Prevent path traversal attempts
+        guard !name.contains("..") else { return false }
+
+        return true
+    }
+
     // MARK: - Actions
 
     @MainActor
@@ -421,8 +436,8 @@ struct ExportDialog: View {
     }
 
     private func fetchTablesForSchema(_ schema: String, driver: DatabaseDriver) async throws -> [TableInfo] {
-        // Escape single quotes to prevent SQL injection
-        let escapedSchema = schema.replacingOccurrences(of: "'", with: "''")
+        // Use proper SQL escaping to prevent injection (handles backslashes, quotes, etc.)
+        let escapedSchema = SQLEscaping.escapeStringLiteral(schema)
         let query = """
             SELECT table_name, table_type
             FROM information_schema.tables
@@ -439,8 +454,8 @@ struct ExportDialog: View {
     }
 
     private func fetchTablesForDatabase(_ database: String, driver: DatabaseDriver) async throws -> [TableInfo] {
-        // Escape single quotes to prevent SQL injection
-        let escapedDatabase = database.replacingOccurrences(of: "'", with: "''")
+        // Use proper SQL escaping to prevent injection (handles backslashes, quotes, etc.)
+        let escapedDatabase = SQLEscaping.escapeStringLiteral(database)
         // MySQL/MariaDB: query information_schema for tables in specific database
         let query = """
             SELECT TABLE_NAME, TABLE_TYPE

TablePro/Views/Export/ExportJSONOptionsView.swift

@@ -19,6 +19,10 @@ struct ExportJSONOptionsView: View {
 
             Toggle("Include NULL values", isOn: $options.includeNullValues)
                 .toggleStyle(.checkbox)
+
+            Toggle("Preserve all values as strings", isOn: $options.preserveAllAsStrings)
+                .toggleStyle(.checkbox)
+                .help("Keep leading zeros in ZIP codes, phone numbers, and IDs by outputting all values as strings")
         }
         .font(.system(size: DesignConstants.FontSize.body))
     }

TablePro/Views/Export/ExportSuccessView.swift

@@ -14,12 +14,11 @@ struct ExportSuccessView: View {
     let onClose: () -> Void
 
     @AppStorage("hideExportSuccessDialog") private var dontShowAgain = false
-    @State private var localDontShowAgain: Bool
+    @State private var localDontShowAgain = false
 
     init(onOpenFolder: @escaping () -> Void, onClose: @escaping () -> Void) {
         self.onOpenFolder = onOpenFolder
         self.onClose = onClose
-        _localDontShowAgain = State(initialValue: dontShowAgain)
     }
     var body: some View {
         VStack(spacing: 20) {