Only unquoted [A-Za-z_][A-Za-z0-9_]* identifiers are allowed — no spaces, * no quoting, no dotted names. This is deliberately strict: it stops the * agent from sneaking SQL into the table/column slots.
(s: string)
| 100 | * no quoting, no dotted names. This is deliberately strict: it stops the |
| 101 | * agent from sneaking SQL into the table/column slots. */ |
| 102 | function isValidIdentifier(s: string): boolean { |
| 103 | return /^[A-Za-z_][A-Za-z0-9_]*$/.test(s); |
| 104 | } |
| 105 | |
| 106 | /** Reject WHERE clauses that could chain statements or hide DDL. This isn't |
| 107 | * a full SQL parser — just a keyword/character denylist to keep the surface |