From bd1c78d7f25f429cfb59f2a13e6cc31b5081b639 Mon Sep 17 00:00:00 2001
From: careck <careck@gmail.com>
Date: Tue, 5 May 2026 09:09:10 +1000
Subject: [PATCH] docs: document SQLCipher PRAGMA key escaping rationale

Closes #181
---
 krillnotes-core/src/core/storage.rs | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/krillnotes-core/src/core/storage.rs b/krillnotes-core/src/core/storage.rs
index 8e286959..3db5eef2 100644
--- a/krillnotes-core/src/core/storage.rs
+++ b/krillnotes-core/src/core/storage.rs
@@ -33,6 +33,9 @@ impl Storage {
     pub fn create<P: AsRef<Path>>(path: P, password: &str) -> Result<Self> {
         let conn = Connection::open(path)?;
         if !password.is_empty() {
+            // SQLCipher's PRAGMA key doesn't support parameterized queries (?-binding),
+            // so string interpolation is required. Single-quote doubling ('') is the
+            // standard SQL literal escape and is sufficient to prevent injection here.
             let escaped = password.replace('\'', "''");
             conn.execute_batch(&format!("PRAGMA key = '{escaped}';\n"))?;
         }
@@ -58,6 +61,9 @@ impl Storage {
     pub fn open<P: AsRef<Path>>(path: P, password: &str) -> Result<Self> {
         let conn = Connection::open(path.as_ref())?;
         if !password.is_empty() {
+            // SQLCipher's PRAGMA key doesn't support parameterized queries (?-binding),
+            // so string interpolation is required. Single-quote doubling ('') is the
+            // standard SQL literal escape and is sufficient to prevent injection here.
             let escaped = password.replace('\'', "''");
             conn.execute_batch(&format!("PRAGMA key = '{escaped}';\n"))?;
         }