From 8ede63adcd306f64ef90d72b8b363f410cd04ca5 Mon Sep 17 00:00:00 2001
From: Yuyao Huang <huangyuyao@outlook.com>
Date: Sat, 9 May 2026 12:57:18 +0800
Subject: [PATCH] fix: quote column names in UPDATE statements to handle
 reserved keywords

'order' is a reserved keyword in SQLite. Quote all column names
in update_user, update_goal, and update_task to prevent syntax
errors when updating columns with reserved names.
---
 database.py | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/database.py b/database.py
index 9e3512e..b6a93e3 100644
--- a/database.py
+++ b/database.py
@@ -48,7 +48,7 @@ def create_user(username, password_hash, role="user", max_goals=None):
 def update_user(user_id, **kwargs):
     if not kwargs:
         return
-    sets = ", ".join(f"{k} = ?" for k in kwargs)
+    sets = ", ".join(f'"{k}" = ?' for k in kwargs)
     values = list(kwargs.values()) + [user_id]
     conn = get_connection()
     try:
@@ -101,7 +101,7 @@ def create_goal(user_id, title):
 def update_goal(goal_id, **kwargs):
     if not kwargs:
         return
-    sets = ", ".join(f"{k} = ?" for k in kwargs)
+    sets = ", ".join(f'"{k}" = ?' for k in kwargs)
     values = list(kwargs.values()) + [goal_id]
     conn = get_connection()
     try:
@@ -177,7 +177,7 @@ def create_task(goal_id, title, desc="", status="todo", order=None):
 def update_task(task_id, **kwargs):
     if not kwargs:
         return
-    sets = ", ".join(f"{k} = ?" for k in kwargs)
+    sets = ", ".join(f'"{k}" = ?' for k in kwargs)
     values = list(kwargs.values()) + [task_id]
     conn = get_connection()
     try: