Skip to content

Commit

Permalink
Added named bind-style variable interpolation #281 [Michael Koziarski]
Browse files Browse the repository at this point in the history 
git-svn-id: http://svn-commit.rubyonrails.org/rails/trunk@78 5ecf4fe2-1ee6-0310-87b1-e25e094e27de
  • Loading branch information
@dhh
dhh committed Dec 8, 2004
1 parent 5662c7f commit 554597d
Show file tree
Hide file tree
Showing 3 changed files with 60 additions and 6 deletions.
4 changes: 4 additions & 0 deletions activerecord/CHANGELOG
View file
Expand Up @@ -21,6 +21,10 @@


* Fixed the Inflector to handle the movie/movies pair correctly #261 [Scott Baron] * Fixed the Inflector to handle the movie/movies pair correctly #261 [Scott Baron]


* Added named bind-style variable interpolation #281 [Michael Koziarski]. Example:

Person.find(["id = :id and first_name = :first_name", { :id => 5, :first_name = "bob' or 1=1" }])

* Added bind-style variable interpolation for the condition arrays that uses the adapter's quote method [Michael Koziarski] * Added bind-style variable interpolation for the condition arrays that uses the adapter's quote method [Michael Koziarski]


Before: Before:
Expand Down
41 changes: 35 additions & 6 deletions activerecord/lib/active_record/base.rb
View file
Expand Up @@ -26,6 +26,8 @@ class RecordNotFound < ActiveRecordError #:nodoc:
end end
class StatementInvalid < ActiveRecordError #:nodoc: class StatementInvalid < ActiveRecordError #:nodoc:
end end
class PreparedStatementInvalid < ActiveRecordError #:nodoc:
end


# Active Record objects doesn't specify their attributes directly, but rather infer them from the table definition with # Active Record objects doesn't specify their attributes directly, but rather infer them from the table definition with
# which they're linked. Adding, removing, and changing attributes and their type is done directly in the database. Any change # which they're linked. Adding, removing, and changing attributes and their type is done directly in the database. Any change
Expand Down Expand Up @@ -642,19 +644,46 @@ def class_name_of_active_record_descendant(klass)
def sanitize_conditions(conditions) def sanitize_conditions(conditions)
return conditions unless conditions.is_a?(Array) return conditions unless conditions.is_a?(Array)


statement, values = conditions[0], conditions[1..-1] statement, *values = conditions


statement =~ /\?/ ? if values[0].is_a?(Hash) && statement =~ /:\w+/
replace_bind_variables(statement, values) : replace_named_bind_variables(statement, values[0])
elsif statement =~ /\?/
replace_bind_variables(statement, values)
else
statement % values.collect { |value| connection.quote_string(value.to_s) } statement % values.collect { |value| connection.quote_string(value.to_s) }
end
end end


def replace_bind_variables(statement, values) def replace_bind_variables(statement, values)
while statement =~ /\?/ orig_statement = statement.clone
expected_number_of_variables = statement.count('?')
provided_number_of_variables = values.size

unless expected_number_of_variables == provided_number_of_variables
raise PreparedStatementInvalid, "wrong number of bind variables (#{provided_number_of_variables} for #{expected_number_of_variables})"
end

until values.empty?
statement.sub!(/\?/, connection.quote(values.shift)) statement.sub!(/\?/, connection.quote(values.shift))
end end


return statement statement.gsub('?') { |all, match| connection.quote(values.shift) }
end

def replace_named_bind_variables(statement, values_hash)
orig_statement = statement.clone
values_hash.keys.each do |k|
if statement.sub!(/:#{k.id2name}/, connection.quote(values_hash.delete(k))).nil?
raise PreparedStatementInvalid, ":#{k} is not a variable in [#{orig_statement}]"
end
end

if statement =~ /(:\w+)/
raise PreparedStatementInvalid, "No value provided for #{$1} in [#{orig_statement}]"
end

return statement
end end
end end


Expand Down
21 changes: 21 additions & 0 deletions activerecord/test/finder_test.rb
View file
Expand Up @@ -88,7 +88,28 @@ def test_bind_variables
assert_nil Company.find_first(["name = ?", "37signals!"]) assert_nil Company.find_first(["name = ?", "37signals!"])
assert_nil Company.find_first(["name = ?", "37signals!' OR 1=1"]) assert_nil Company.find_first(["name = ?", "37signals!' OR 1=1"])
assert_kind_of Time, Topic.find_first(["id = ?", 1]).written_on assert_kind_of Time, Topic.find_first(["id = ?", 1]).written_on
assert_raises(ActiveRecord::PreparedStatementInvalid) {
Company.find_first(["id=? AND name = ?", 2])
}
assert_raises(ActiveRecord::PreparedStatementInvalid) {
Company.find_first(["id=?", 2, 3, 4])
}
end

def test_named_bind_variables
assert_kind_of Firm, Company.find_first(["name = :name", { :name => "37signals" }])
assert_nil Company.find_first(["name = :name", { :name => "37signals!" }])
assert_nil Company.find_first(["name = :name", { :name => "37signals!' OR 1=1" }])
assert_kind_of Time, Topic.find_first(["id = :id", { :id => 1 }]).written_on
assert_raises(ActiveRecord::PreparedStatementInvalid) {
Company.find_first(["id=:id and name=:name", { :id=>3 }])
}
assert_raises(ActiveRecord::PreparedStatementInvalid) {
Company.find_first(["id=:id", { :id=>3, :name=>"37signals!" }])
}
end end




def test_string_sanitation def test_string_sanitation
assert_not_equal "'something ' 1=1'", ActiveRecord::Base.sanitize("something ' 1=1") assert_not_equal "'something ' 1=1'", ActiveRecord::Base.sanitize("something ' 1=1")
Expand Down

0 comments on commit 554597d

Please sign in to comment.