@cmd233/mcp-database-server 1.4.0 → 1.4.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
|
@@ -296,6 +296,8 @@ export class SqlServerAdapter {
|
|
|
296
296
|
getDescribeTableQuery(tableName) {
|
|
297
297
|
// 验证并转义表名,防止 SQL 注入
|
|
298
298
|
const escapedTableName = escapeIdentifier(tableName);
|
|
299
|
+
// 用于字符串比较(不带方括号)
|
|
300
|
+
const safeTableName = tableName.replace(/'/g, "''");
|
|
299
301
|
return `
|
|
300
302
|
SELECT
|
|
301
303
|
c.COLUMN_NAME as name,
|
|
@@ -316,13 +318,13 @@ export class SqlServerAdapter {
|
|
|
316
318
|
SELECT o.object_id
|
|
317
319
|
FROM sys.objects o
|
|
318
320
|
INNER JOIN sys.schemas s ON o.schema_id = s.schema_id
|
|
319
|
-
WHERE o.name = ${
|
|
321
|
+
WHERE o.name = '${safeTableName}' AND s.name = c.TABLE_SCHEMA
|
|
320
322
|
AND o.type IN ('U', 'V')
|
|
321
323
|
)
|
|
322
324
|
AND ep.minor_id = c.ORDINAL_POSITION
|
|
323
325
|
AND ep.name = 'MS_Description'
|
|
324
326
|
WHERE
|
|
325
|
-
c.TABLE_NAME = ${
|
|
327
|
+
c.TABLE_NAME = '${safeTableName}'
|
|
326
328
|
ORDER BY
|
|
327
329
|
c.ORDINAL_POSITION
|
|
328
330
|
`;
|
package/package.json
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "@cmd233/mcp-database-server",
|
|
3
|
-
"version": "1.4.
|
|
3
|
+
"version": "1.4.1",
|
|
4
4
|
"description": "MCP server for interacting with SQLite, SQL Server, PostgreSQL and MySQL databases (Added stored procedure support and enhanced SQL injection protection)",
|
|
5
5
|
"license": "MIT",
|
|
6
6
|
"author": "cmd233",
|