feat: standardise PostgREST string escaping across codebase (Closes #1543)

[nimkarprachi17]

🛑 STOP: Assignment & File Scope Check

• I am assigned to this issue.
• I verified that this PR ONLY touches the required files.

📋 PR Summary & Link

• Closes [FEATURE] Standardise PostgREST string escaping across the codebase #1543
• Summary: Creates a centralised escapePostgrest() utility and replaces all naked string interpolation in Supabase .or() and .ilike() filters across both apps/api and apps/web.

📸 Proof of Work

• Zero TypeScript errors (npx tsc --noEmit clean on both api and web)
• git diff --stat main confirms exactly 6 files changed — all scoped to this issue
• Pre-existing lint errors in AnalyticsCharts.tsx and CacheStatsCard.tsx are unrelated to this PR

Files changed:

• apps/api/src/utils/db.ts — added escapePostgrest()
• apps/web/lib/supabase/utils.ts — new file with escapePostgrest()
• apps/api/src/routes/interactions.ts — fixed 2 naked .or() filters
• apps/api/src/routes/scan.ts — fixed 2 naked .or() filters
• apps/api/src/services/medicineRag.service.ts — fixed 1 naked .or() filter
• apps/web/app/[locale]/components/SearchBar.tsx — fixed 1 naked .or() filter

🏷️ PR Type

• ✨ type: feature
• 🔒 type: security
• ♻️ type: refactor

✅ Checklist

• My PR has a linked issue (Closes #1543)
• I have pulled the latest main and resolved any conflicts

[dipexplorer]

The PostgREST quoting syntax is incorrect and breaks the search.

When you use .ilike.%${escapePostgrest(val)}%, the resulting string evaluates to .ilike.%"val". In PostgREST, double quotes must wrap the entire value to escape commas, not sit inside the % wildcards. Because the quotes are in the middle, PostgREST will either throw a syntax error or search for literal double-quotes.

Additionally, in interactions.ts, escaped is already processed by escapeIlike(). Passing it into escapePostgrest(escaped) causes double-escaping (\\\\, \\%).

How to fix:

1. Modify escapePostgrest to just escape characters without hardcoding the surrounding double quotes:

export function escapePostgrest(val: string): string {
    return val
        .replace(/\\/g, "\\\\")
        .replace(/%/g, "\\%")
        .replace(/_/g, "\\_")
        .replace(/"/g, '""'); 
}

2. For .ilike() filters, wrap the entire expression in double quotes in your template literals, placing the % wildcards inside:

.or(`brand_name.ilike."%${escapePostgrest(trimmed)}%",batch_number.ilike."%${escapePostgrest(trimmed)}%"`)

Please update this across all modified files.

[nimkarprachi17]

Fixed all issues raised in review:

1. escapePostgrest() no longer hardcodes double quotes — they are now placed in the template literals wrapping the entire value: "%${escapePostgrest(val)}%"
2. Removed escapePostgrest from UUID comparisons in interactions.ts — UUIDs cannot contain commas so no escaping is needed there
3. Updated consistently across all modified files: interactions.ts, scan.ts, medicineRag.service.ts, SearchBar.tsx, and both utility files

[github-actions]

🎉 Congratulations @nimkarprachi17! Your Pull Request "feat: standardise PostgREST string escaping across codebase (Closes #1543)" has been successfully merged by @dipexplorer.

Thank you for your valuable contribution to SahiDawa! 🇮🇳
If this was for GSSoC 2026, your work is officially merged and valid. Keep up the great work and feel free to claim other open issues. 🚀

Follow us on LinkedIn: https://www.linkedin.com/company/ratloopz/ to get shoutout