Support for escaping untrusted string inputs

[athre0z]

The library should provide users with a way to escape untrusted string inputs in a way that makes it safe to insert them into queries.

According to the documentation, it appears like escaping strings is relatively simple in ClickHouse:

In string literals, you need to escape at least ' and . Single quotes can be escaped with the single quote, literals 'It's' and 'It''s' are equal.

https://clickhouse.tech/docs/en/sql-reference/syntax/#syntax-string-literal

However, the experience with many other databases and their respective clients in the past have shown that there are a lot of things that can go wrong with escaping. Things that usually contribute to making proper escaping a non-trivial issue are:

• null terminated strings in C/C++, particularly when interoperating with a language where 0 is a valid byte inside strings
• charset mismatches on client and server, resulting in different interpretation of characters in the client and the server

We should take a close look at how some other clients handle this and perhaps even request a review from a CH engineer (on the mailing list?).

My personal opinion is that it is better to not have an escape function at all instead of having a potentially broken / unsound one that merely give users an illusion of safety.

Status

This issue is currently not being worked on and if anyone is interesting in taking a stab at it, please comment here in order to prevent duplicate work or to ask any further questions.