From 6c57a8e5b43530542ea5ea4553e1277791f09795 Mon Sep 17 00:00:00 2001
From: simonmicro <simon@simonmicro.de>
Date: Sat, 6 Dec 2025 21:18:52 +0100
Subject: [PATCH] Prevent unknown column names from being passed to DB

Signed-off-by: simonmicro <simon@simonmicro.de>
---
 py-kms/pykms_Sql.py | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/py-kms/pykms_Sql.py b/py-kms/pykms_Sql.py
index d163462..0f6f73c 100644
--- a/py-kms/pykms_Sql.py
+++ b/py-kms/pykms_Sql.py
@@ -109,8 +109,9 @@ def sql_update(dbName, infoDict):
                         # Update only changed columns
                         common_postfix = "WHERE clientMachineId=:clientMachineId AND applicationId=:applicationId"
                         def update_column_if_changed(column_name, new_value):
-                                assert column_name in _column_name_to_index, f"Unknown column name: {column_name}"
                                 assert "clientMachineId" in infoDict and "applicationId" in infoDict, "infoDict must contain 'clientMachineId' and 'applicationId'"
+                                if column_name not in _column_name_to_index:
+                                        raise ValueError(f"Unknown column name: {column_name}")
                                 if data[_column_name_to_index[column_name]] != new_value:
                                         query = f"UPDATE clients SET {column_name}=:value {common_postfix}"
                                         cur.execute(query, {"value": new_value, "clientMachineId": infoDict['clientMachineId'], "applicationId": infoDict['applicationId']})