refactor: replace table column name limitations by quoting

[graduenz]

Summary

My intention was to, initially, remove the regular expression validations being done to TableName and ColumnName because it limits users, and changing the implied limitation by another reasoning: users should be responsible for the names provided to tables and columns (in other words, it doesn't sound like a real problem that we need to prevent).

• Every time a TableName or ColumnName was being created, users had to check for a potential error returned and handle it, which increases the amount of code written in migrations
• To prevent SQL injection, which was still possible with that approach, all identifiers are now being quoted in the SQL commands produced by SQLBuilder
  • Reference: CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
  • SQL injection is still a potential threat if users just use the sql.DB object directly carelessly, and I believe there is absolutely nothing we can do against it, since it's a responsibility on their end
• Changed every struct function to use pointer receivers instead of value receivers, avoiding issues like accidentally mutating a copy instead of the original struct
  • This was caught when testing the AddColumns function of the schema.Table

Description

This pull request refactors the SQL builder and database APIs to simplify type usage and improve identifier quoting. It updates method signatures to use plain strings instead of wrapper types for table and column names, introduces a quoting mechanism for SQL identifiers, and adjusts usages throughout the codebase and documentation. The changes also update tests and documentation to reflect these API improvements.

API Simplification and Consistency

• Changed SQL builder DDL method signatures (DropTable, AlterTableAddColumn, AlterTableDropColumn) to use plain string types for table and column names instead of custom wrapper types, simplifying usage across the codebase. [1] [2]
• Updated the Database struct and related methods to use a pointer to DBSchema (*schema.DBSchema) and removed the redundant executor field, streamlining database schema access. [1] [2] [3] [4]

Identifier Quoting and SQLBuilder Interface

• Added a new QuoteIdentifier method to the SQLBuilder interface and implemented it for PostgreSQL, ensuring all table and column names are properly quoted in generated SQL to prevent naming conflicts and syntax errors. [1] [2] [3] [4]
• Refactored all PostgreSQL builder methods to use pointer receivers and updated internal logic to utilize identifier quoting, improving correctness and consistency in SQL generation. [1] [2] [3]

Documentation and Test Updates

• Updated code examples in README.md to use the new API signatures and patterns, making them clearer and more consistent for users. [1] [2] [3]
• Modified all affected tests to use the new string-based API and to expect quoted identifiers in generated SQL, ensuring test coverage matches the refactored implementation. [1] [2] [3] [4] [5]

Minor Improvements

• Changed methods in ColumnsValues to use pointer receivers, aligning with Go best practices and ensuring consistency. [1] [2]

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
99.1% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud