From c83803904cda95c3b31c68fa1bcf988f06eec8bf Mon Sep 17 00:00:00 2001
From: shanecodezzz <sbarakat2005@gmail.com>
Date: Sat, 14 Feb 2026 13:08:40 -0800
Subject: [PATCH] fix(pkg/clients/mssql/mssql.go): mssql quoteidentifier does
 not escape `]` characters, enabling sql injection in all mssql operations.

Escape closing brackets by replacing `]` with `]]` inside QuoteIdentifier, matching the MySQL/PostgreSQL escaping pattern.
---
 pkg/clients/mssql/mssql.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/pkg/clients/mssql/mssql.go b/pkg/clients/mssql/mssql.go
index ff6cebba..42314001 100644
--- a/pkg/clients/mssql/mssql.go
+++ b/pkg/clients/mssql/mssql.go
@@ -121,7 +121,7 @@ func (c mssqlDB) GetConnectionDetails(username, password string) managed.Connect
 
 // QuoteIdentifier for mssql queries
 func QuoteIdentifier(id string) string {
-	return "[" + id + "]"
+	return "[" + strings.ReplaceAll(id, "]", "]]") + "]"
 }
 
 // QuoteValue for mssql queries