From 1e9b19da8486ce43255f72ba5f363c308c9de33f Mon Sep 17 00:00:00 2001
From: Feike Steenbergen <feike@timescale.com>
Date: Thu, 2 Jun 2022 08:37:49 +0200
Subject: [PATCH] Escape Identifier when building up SQL dynamically

Signed-off-by: Feike Steenbergen <feike@timescale.com>
---
 cmd/postgres_exporter/namespace.go | 4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)

diff --git a/cmd/postgres_exporter/namespace.go b/cmd/postgres_exporter/namespace.go
index ab1e74ea..cf056c74 100644
--- a/cmd/postgres_exporter/namespace.go
+++ b/cmd/postgres_exporter/namespace.go
@@ -43,9 +43,7 @@ func queryNamespaceMapping(server *Server, namespace string, mapping MetricMapNa
 	var err error
 
 	if !found {
-		// I've no idea how to avoid this properly at the moment, but this is
-		// an admin tool so you're not injecting SQL right?
-		rows, err = server.db.Query(fmt.Sprintf("SELECT * FROM %s;", namespace)) // nolint: gas
+		rows, err = server.db.Query(fmt.Sprintf("SELECT * FROM %s;", pq.QuoteIdentifier(namespace))) // nolint: gas
 	} else {
 		rows, err = server.db.Query(query)
 	}