Intent-Code Divergence
Medium
- Confidence
- 95% confidence
- Finding
- The SQL export builds INSERT statements by directly interpolating the table name and column names without identifier validation or proper quoting. While string values are partially escaped, an attacker controlling template_name, custom template field names, or table_name could inject malformed identifiers or SQL fragments, making the generated output unsafe if later executed against a database.
