=== SQL Injection Vulnerability Test ===

[Test 1] Basic SQL Injection via equals operator:
  Input: ' OR '1'='1
  Vulnerable output: '' OR '1'='1'
  VULNERABLE: YES - SQL INJECTION POSSIBLE

[Test 2] Data extraction attempt:
  Input: ' UNION SELECT email, password FROM users --
  Vulnerable output: '' UNION SELECT email, password FROM users --'
  VULNERABLE: YES - SQL INJECTION POSSIBLE

[Test 3] Time-based blind SQL injection:
  Input: ' OR pg_sleep(5) --
  Vulnerable output: '' OR pg_sleep(5) --'
  VULNERABLE: YES - SQL INJECTION POSSIBLE

=== Testing Patched Version ===

[Test 4] Same malicious input with escapeSQLValue (patched):
  Input: ' OR '1'='1
  BLOCKED: YES - ' OR '1'='1 is not allowed as a JSON query value

[Test 5] Safe input with escapeSQLValue:
  Input: normal_value_123
  Output: 'normal_value_123'
  BLOCKED: NO - Safe input processed correctly

=== Summary ===
The vulnerable code directly concatenates user input into SQL queries,
allowing SQL injection attacks via JSON/RichText field queries.
The patch adds escapeSQLValue() which validates input against /^[\w @.\-+:]*$/