googleapis · saddamr3e · Jun 23, 2026
@@ -450,7 +450,10 @@ def add_index(self, model, index):
     def quote_value(self, value):
         # A more complete implementation isn't currently required.
         if isinstance(value, str):
-            return "'%s'" % value.replace("'", "''")
+            # Cloud Spanner (GoogleSQL) escapes quotes with a backslash, not by
+            # doubling them, and treats backslash as an escape character. Match
+            # the escaping used for generated/db_default columns above.
+            return "'%s'" % value.replace("\\", "\\\\").replace("'", "\\'")
         if isinstance(value, bool):
             return "TRUE" if value else "FALSE"
         return str(value)

@@ -40,6 +40,19 @@ def test_quote_value(self):
         schema_editor = DatabaseSchemaEditor(self.connection)
         self.assertEqual(schema_editor.quote_value(value=1.1), "1.1")
 
+    def test_quote_value_str_escaping(self):
+        """
+        String values must be escaped the GoogleSQL way (backslash), so a
+        quote or backslash in the value can't break out of the literal.
+        """
+        schema_editor = DatabaseSchemaEditor(self.connection)
+        self.assertEqual(schema_editor.quote_value(value="O'Brien"), "'O\\'Brien'")
+        self.assertEqual(schema_editor.quote_value(value="a\\b"), "'a\\\\b'")
+        self.assertEqual(
+            schema_editor.quote_value(value="\\' OR 1=1 -- "),
+            "'\\\\\\' OR 1=1 -- '",
+        )
+
     def test_skip_default(self):
         """
         Tries skipping default as Cloud spanner doesn't support it.