From ae7301921a0e6dc31a3656c07bf6372d5b9a99cf Mon Sep 17 00:00:00 2001
From: remo-lab <remopanda7@gmail.com>
Date: Thu, 5 Feb 2026 17:04:10 +0530
Subject: [PATCH] Fix SQL injection in truncate_data_tables

Signed-off-by: remo-lab <remopanda7@gmail.com>
---
 src/nominatim_db/tools/database_import.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/nominatim_db/tools/database_import.py b/src/nominatim_db/tools/database_import.py
index 2131a88b..18a7c321 100644
--- a/src/nominatim_db/tools/database_import.py
+++ b/src/nominatim_db/tools/database_import.py
@@ -195,7 +195,7 @@ def truncate_data_tables(conn: Connection) -> None:
                        WHERE tablename LIKE 'location_road_%'""")
 
         for table in [r[0] for r in list(cur)]:
-            cur.execute('TRUNCATE ' + table)
+            cur.execute(pysql.SQL('TRUNCATE {}').format(pysql.Identifier(table)))
 
     conn.commit()