…g Sequel in production
…ents by default for regular association loading This is similar to the prepared_statements_with_pk plugin, as it also uses Dataset#unbind, but it should be more safe as it skips using a prepared statement completely if it detects that there are association options that it does not handle.
…e with models more safe This new plugin doesn't use prepared statements at all, but it's designed to be used with (and requires) the prepared_statements plugin. The basic security issue with using prepared statements implicitly with Sequel is that Sequel by default only uses uses the currently present columns when insert (some subset of the table's columns), and by default when updating only saves the changed columns. For prepared statements to be used, each set of columns in the insert and update statements needs to have its own prepared statement. If you have a table with 1 primary key column and 4 other columns, you can have up to 2^4 = 16 prepared statements created, one for each subset of the 4 columns. If you have 1 primary key column and 20 other columns, there are over a million subsets, and you would assuredly hit your database limit for prepared statements (a denial of service attack). The fix for this is to use every column possible when inserting and updating. For updating, this is simple, as you just save all columns. For inserting, this isn't always possible, as you can't necessarily insert a correct default value, as it could depend on a database function. So for NULL defaults and defaults that Sequel can parse, Sequel will add those columns to the insert statement.
…tes, inserts, deletes, and lookups by primary key This allows easy use of Sequel's prepared statement support by models without any manual effort by the user (other than loading the plugin). Some internal changes: Prepared statements now support an :insert_select prepared type that will prepare the SQL using insert_sql, but execute it with first to retrieve the row value. You should only use this if the dataset supports insert_select. To implement the insert_select support for prepared statements a :returning=>nil option is added to the dataset, which the relevent adapters have been modified to support. In order to get Sequel to use the insert_select method when inserting, the supports_insert_select? method must return true. Quite a few private model instance methods were added to eliminate the code duplication that this would have otherwise required.
…ing models This allows similar behavior to ActiveRecord, where instantiating a new model will have the database default values set. It improves on this idea by not setting nil/NULL defaults or defaults that cannot be parsed by Sequel. It also allows users to easily modify the default vaues used.
…tion support This breaks backwards compatibility for people who added an sql_literal method to Sequel::Model so that Sequel::Model instances could be used in filters. While here, add an integration test for filtering by associations.
…r using associations See the plugin RDoc for a description of how to use this.
…queries by introspecting selected columns Sequel's previous behavior has been to do a database query to retrieve the columns for a dataset unless the dataset has already cached the columns. This commit adds an extension that makes Sequel attempt to introspect the selected columns to guess at the columns that would be returned. This should work in most cases, but as there is no guarantee that Sequel will guess correctly, this is not being done by default. To use this, after loading the extension, you can extend any dataset with Sequel::ColumnIntrospection. If you want to use this for all datasets, run: Sequel::Dataset.introspect_all_columns This adds some hooks to the specs so that all of Sequel's specs can be run with this extension. To do so, define the SEQUEL_COLUMNS_INTROSPECTION environment variable when running the specs.
This adds a Sequel::Dataset#to_dot method. The to_dot method returns a string that can be processed by graphviz's dot program in order to get a visualization of the dataset. Basically, it shows a version of the dataset's abstract syntax tree. Idea stolen from Aaron Patterson's similar method in ARel 2.
…3 Sequel plugin