table_view: Ignore invalid query column names as with SQLITE_DQS=0 they don't degrade to string comparisons

tuffnatty · tuffnatty · commit b987223b4312 · 2025-12-16T15:01:01.000+01:00
diff --git a/datasette/filters.py b/datasette/filters.py
@@ -408,11 +408,15 @@ def selections(self):
     def has_selections(self):
         return bool(self.pairs)
 
-    def build_where_clauses(self, table):
+    def build_where_clauses(self, table, table_columns=None):
         sql_bits = []
         params = {}
         i = 0
         for column, lookup, value in self.selections():
+            if column != "rowid" and table_columns and column not in table_columns:
+                # Ignore invalid column names, with SQLITE_DQS=0 they don't
+                # degrade to harmless string literal comparisons
+                continue
             filter = self._filters_by_key.get(lookup, None)
             if filter:
                 sql_bit, param = filter.where_clause(table, column, value, i)
diff --git a/datasette/views/table.py b/datasette/views/table.py
@@ -1033,7 +1033,7 @@ async def table_view_data(
 
     # Build where clauses from query string arguments
     filters = Filters(sorted(filter_args))
-    where_clauses, params = filters.build_where_clauses(table_name)
+    where_clauses, params = filters.build_where_clauses(table_name, table_columns)
 
     # Execute filters_from_request plugin hooks - including the default
     # ones that live in datasette/filters.py
