From cd21eec8be685fd3b88ff3889e7a56d0169feaa6 Mon Sep 17 00:00:00 2001
From: Matthias Tafelmeier <matthias.tafelmeier.cherusk@gmail.com>
Date: Thu, 16 Apr 2026 13:18:50 +0200
Subject: [PATCH] fix: wrap metadata_json in SQL quotes for target and
 credential inserts

---
 controller/database.py | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/controller/database.py b/controller/database.py
index 9e5ec84..c94db37 100644
--- a/controller/database.py
+++ b/controller/database.py
@@ -252,7 +252,7 @@ def fetch_breeders_list(self):
     def insert_credential(self, credential_id, name, credential_type, description, windmill_variable, store_type='windmill_variable', metadata=None):
         """Insert credential catalog entry"""
         db_config = self._get_db_config()
-        metadata_json = json.dumps(metadata) if metadata else 'NULL'
+        metadata_json = "'" + json.dumps(metadata).replace("'", "''") + "'" if metadata else 'NULL'
         description_escaped = "'" + description.replace("'", "''") + "'" if description else 'NULL'
         
         query = f"""
@@ -336,7 +336,7 @@ def insert_target(self, target_id, name, target_type, spec, metadata=None):
         """Insert target catalog entry"""
         db_config = self._get_db_config()
         spec_json = json.dumps(spec) if isinstance(spec, dict) else spec
-        metadata_json = json.dumps(metadata) if metadata else 'NULL'
+        metadata_json = "'" + json.dumps(metadata).replace("'", "''") + "'" if metadata else 'NULL'
 
         query = f"""
         INSERT INTO {self.targets_table_name}