Merge pull request #306 from FalkorDB/fix/sql-identifier-quoting

Fix: Auto-quote SQL identifiers with special characters (dashes, spaces, etc.)

Author: galshubeli

.github/wordlist.txt

@@ -90,3 +90,8 @@ socio
 sexualized
 www
 faq
+sanitization
+Sanitization
+JOINs
+subqueries
+subquery

api/agents/analysis_agent.py

@@ -202,6 +202,7 @@ def _build_prompt(   # pylint: disable=too-many-arguments, too-many-positional-a
             - Never skip explaining missing information, ambiguities, or instruction issues.
             - Respond ONLY in strict JSON format, without extra text.
             - If the query relates to a previous question, you MUST take into account the previous question and its answer, and answer based on the context and information provided so far.
+            - CRITICAL: When table or column names contain special characters (especially dashes/hyphens like '-'), you MUST wrap them in double quotes for PostgreSQL (e.g., "table-name") or backticks for MySQL (e.g., `table-name`). This is NON-NEGOTIABLE.
 
             If the user is asking a follow-up or continuing question, use the conversation history and previous answers to resolve references, context, or ambiguities. Always base your analysis on the cumulative context, not just the current question.
 

api/core/text2sql.py

@@ -18,6 +18,7 @@
 from api.loaders.postgres_loader import PostgresLoader
 from api.loaders.mysql_loader import MySQLLoader
 from api.memory.graphiti_tool import MemoryTool
+from api.sql_utils import SQLIdentifierQuoter, DatabaseSpecificQuoter
 
 # Use the same delimiter as in the JavaScript
 MESSAGE_DELIMITER = "|||FALKORDB_MESSAGE_BOUNDARY|||"
@@ -316,6 +317,33 @@ async def generate():  # pylint: disable=too-many-locals,too-many-branches,too-m
             follow_up_result = ""
             execution_error = False
 
+            # Auto-quote table names with special characters (like dashes)
+            original_sql = answer_an['sql_query']
+            if original_sql:
+                # Extract known table names from the result schema
+                known_tables = {table[0] for table in result} if result else set()
+
+                # Determine database type and get appropriate quote character
+                db_type, _ = get_database_type_and_loader(db_url)
+                quote_char = DatabaseSpecificQuoter.get_quote_char(
+                    db_type or 'postgresql'
+                )
+
+                # Auto-quote identifiers with special characters
+                sanitized_sql, was_modified = (
+                    SQLIdentifierQuoter.auto_quote_identifiers(
+                        original_sql, known_tables, quote_char
+                    )
+                )
+
+                if was_modified:
+                    msg = (
+                        "SQL query auto-sanitized: quoted table names with "
+                        "special characters"
+                    )
+                    logging.info(msg)
+                    answer_an['sql_query'] = sanitized_sql
+
             logging.info("Generated SQL query: %s", answer_an['sql_query'])  # nosemgrep
             yield json.dumps(
                 {
@@ -590,7 +618,7 @@ async def generate():  # pylint: disable=too-many-locals,too-many-branches,too-m
     return generate()
 
 
-async def execute_destructive_operation(
+async def execute_destructive_operation(  # pylint: disable=too-many-statements
     user_id: str,
     graph_id: str,
     confirm_data: ConfirmRequest,
@@ -613,7 +641,7 @@ async def execute_destructive_operation(
         raise InvalidArgumentError("No SQL query provided")
 
     # Create a generator function for streaming the confirmation response
-    async def generate_confirmation():
+    async def generate_confirmation():  # pylint: disable=too-many-locals,too-many-statements
         # Create memory tool for saving query results
         memory_tool = await MemoryTool.create(user_id, graph_id)
 
@@ -635,6 +663,39 @@ async def generate_confirmation():
                        "message": "Step 2: Executing confirmed SQL query"}
                 yield json.dumps(step) + MESSAGE_DELIMITER
 
+                # Auto-quote table names for confirmed destructive operations
+                sql_query = confirm_data.sql_query if hasattr(
+                    confirm_data, 'sql_query'
+                ) else ""
+                if sql_query:
+                    # Get schema to extract known tables
+                    graph = db.select_graph(graph_id)
+                    tables_query = "MATCH (t:Table) RETURN t.name"
+                    try:
+                        tables_res = (await graph.query(tables_query)).result_set
+                        known_tables = (
+                            {row[0] for row in tables_res}
+                            if tables_res else set()
+                        )
+                    except Exception:  # pylint: disable=broad-exception-caught
+                        known_tables = set()
+
+                    # Determine database type and get appropriate quote character
+                    db_type, _ = get_database_type_and_loader(db_url)
+                    quote_char = DatabaseSpecificQuoter.get_quote_char(
+                        db_type or 'postgresql'
+                    )
+
+                    # Auto-quote identifiers
+                    sanitized_sql, was_modified = (
+                        SQLIdentifierQuoter.auto_quote_identifiers(
+                            sql_query, known_tables, quote_char
+                        )
+                    )
+                    if was_modified:
+                        logging.info("Confirmed SQL query auto-sanitized")
+                        sql_query = sanitized_sql
+
                 # Check if this query modifies the database schema using appropriate loader
                 is_schema_modifying, operation_type = (
                     loader_class.is_schema_modifying_query(sql_query)

api/sql_utils/__init__.py

@@ -0,0 +1,5 @@
+"""Utility modules for QueryWeaver API."""
+
+from .sql_sanitizer import SQLIdentifierQuoter, DatabaseSpecificQuoter
+
+__all__ = ['SQLIdentifierQuoter', 'DatabaseSpecificQuoter']

api/sql_utils/sql_sanitizer.py

@@ -0,0 +1,171 @@
+"""SQL sanitization utilities for handling identifiers with special characters."""
+
+import re
+from typing import Set, Tuple
+
+
+class SQLIdentifierQuoter:
+    """
+    Utility class for automatically quoting SQL identifiers (table/column names)
+    that contain special characters like dashes.
+    """
+
+    # Characters that require quoting in identifiers
+    SPECIAL_CHARS = {'-', ' ', '.', '@', '#', '$', '%', '^', '&', '*', '(',
+                     ')', '+', '=', '[', ']', '{', '}', '|', '\\', ':',
+                     ';', '"', "'", '<', '>', ',', '?', '/'}
+    # SQL keywords that should not be quoted
+    SQL_KEYWORDS = {
+        'SELECT', 'FROM', 'WHERE', 'JOIN', 'LEFT', 'RIGHT', 'INNER', 'OUTER', 'ON',
+        'AS', 'AND', 'OR', 'NOT', 'IN', 'BETWEEN', 'LIKE', 'IS', 'NULL', 'ORDER',
+        'BY', 'GROUP', 'HAVING', 'LIMIT', 'OFFSET', 'INSERT', 'UPDATE', 'DELETE',
+        'CREATE', 'DROP', 'ALTER', 'TABLE', 'INTO', 'VALUES', 'SET', 'COUNT',
+        'SUM', 'AVG', 'MAX', 'MIN', 'DISTINCT', 'ALL', 'UNION', 'INTERSECT',
+        'EXCEPT', 'CASE', 'WHEN', 'THEN', 'ELSE', 'END', 'CAST', 'ASC', 'DESC'
+    }
+
+    @classmethod
+    def needs_quoting(cls, identifier: str) -> bool:
+        """
+        Check if an identifier needs quoting based on special characters.
+        
+        Args:
+            identifier: The table or column name to check
+            
+        Returns:
+            True if the identifier needs quoting, False otherwise
+        """
+        # Already quoted
+        if (identifier.startswith('"') and identifier.endswith('"')) or \
+           (identifier.startswith('`') and identifier.endswith('`')):
+            return False
+
+        # Check if it's a SQL keyword
+        if identifier.upper() in cls.SQL_KEYWORDS:
+            return False
+
+        # Check for special characters
+        return any(char in cls.SPECIAL_CHARS for char in identifier)
+
+    @staticmethod
+    def quote_identifier(identifier: str, quote_char: str = '"') -> str:
+        """
+        Quote an identifier if not already quoted.
+        
+        Args:
+            identifier: The identifier to quote
+            quote_char: The quote character to use (default: " for PostgreSQL/standard SQL)
+            
+        Returns:
+            Quoted identifier
+        """
+        identifier = identifier.strip()
+
+        # Don't double-quote
+        if (identifier.startswith('"') and identifier.endswith('"')) or \
+           (identifier.startswith('`') and identifier.endswith('`')):
+            return identifier
+
+        return f'{quote_char}{identifier}{quote_char}'
+
+    @classmethod
+    def extract_table_names_from_query(cls, sql_query: str) -> Set[str]:
+        """
+        Extract potential table names from a SQL query.
+        Looks for identifiers after FROM, JOIN, UPDATE, INSERT INTO, etc.
+        
+        Args:
+            sql_query: The SQL query to parse
+            
+        Returns:
+            Set of potential table names
+        """
+        table_names = set()
+
+        # Pattern to match table names after FROM, JOIN, UPDATE, INSERT INTO, etc.
+        # This is a heuristic approach - not perfect but handles common cases
+        patterns = [
+            r'\bFROM\s+([a-zA-Z0-9_\-]+)',
+            r'\bJOIN\s+([a-zA-Z0-9_\-]+)',
+            r'\bUPDATE\s+([a-zA-Z0-9_\-]+)',
+            r'\bINSERT\s+INTO\s+([a-zA-Z0-9_\-]+)',
+            r'\bTABLE\s+([a-zA-Z0-9_\-]+)',
+        ]
+
+        for pattern in patterns:
+            matches = re.finditer(pattern, sql_query, re.IGNORECASE)
+            for match in matches:
+                table_name = match.group(1).strip()
+                # Skip if it's already quoted or an alias
+                if not ((table_name.startswith('"') and table_name.endswith('"')) or
+                       (table_name.startswith('`') and table_name.endswith('`'))):
+                    table_names.add(table_name)
+
+        return table_names
+
+    @classmethod
+    def auto_quote_identifiers(
+        cls,
+        sql_query: str,
+        known_tables: Set[str],
+        quote_char: str = '"'
+    ) -> Tuple[str, bool]:
+        """
+        Automatically quote table names with special characters in a SQL query.
+        
+        Args:
+            sql_query: The SQL query to process
+            known_tables: Set of known table names from the database schema
+            quote_char: Quote character to use (default: " for PostgreSQL, use ` for MySQL)
+            
+        Returns:
+            Tuple of (modified_query, was_modified)
+        """
+        modified = False
+        result_query = sql_query
+
+        # Extract potential table names from query
+        query_tables = cls.extract_table_names_from_query(sql_query)
+
+        # For each table that needs quoting
+        for table in query_tables:
+            # Check if this table exists in known schema and needs quoting
+            if table in known_tables and cls.needs_quoting(table):
+                # Quote the table name
+                quoted = cls.quote_identifier(table, quote_char)
+
+                # Replace unquoted occurrences with quoted version
+                # Use word boundaries to avoid partial replacements
+                # Handle cases: FROM table, JOIN table, table.column, etc.
+                patterns_to_replace = [
+                    (rf'\b{re.escape(table)}\b(?!\s*\.)', quoted),
+                    (rf'\b{re.escape(table)}\.', f'{quoted}.'),
+                ]
+
+                for pattern, replacement in patterns_to_replace:
+                    new_query = re.sub(pattern, replacement, result_query, flags=re.IGNORECASE)
+                    if new_query != result_query:
+                        modified = True
+                        result_query = new_query
+
+        return result_query, modified
+
+
+class DatabaseSpecificQuoter:  # pylint: disable=too-few-public-methods
+    """Factory class to get the appropriate quote character for different databases."""
+
+    @staticmethod
+    def get_quote_char(db_type: str) -> str:
+        """
+        Get the appropriate quote character for a database type.
+        
+        Args:
+            db_type: Database type ('postgresql', 'mysql', etc.)
+            
+        Returns:
+            Quote character to use
+        """
+        if db_type.lower() in ['mysql', 'mariadb']:
+            return '`'
+        # PostgreSQL, SQLite, SQL Server (standard SQL) use double quotes
+        return '"'