diff options
| author | Ryuta Kamizono <kamipo@gmail.com> | 2019-04-20 21:13:31 +0900 |
|---|---|---|
| committer | Ryuta Kamizono <kamipo@gmail.com> | 2019-06-06 03:57:24 +0900 |
| commit | 7696f44f6ff4d3eda8510b67eaab0441153430c3 (patch) | |
| tree | 040ac9388a14c3d6709c7527b42cd760282958ff /activerecord/lib/active_record/connection_adapters/abstract | |
| parent | f166a01b4bfca7d32428095670a271d0771db797 (diff) | |
| download | rails-7696f44f6ff4d3eda8510b67eaab0441153430c3.tar.gz rails-7696f44f6ff4d3eda8510b67eaab0441153430c3.tar.bz2 rails-7696f44f6ff4d3eda8510b67eaab0441153430c3.zip | |
Allow quoted identifier string as safe SQL string
Currently `posts.title` is regarded as a safe SQL string, but
`"posts"."title"` (it is a result of `quote_table_name("posts.title")`)
is regarded as an unsafe SQL string even though a result of
`quote_table_name` should obviously be regarded as a safe SQL string,
since the column name matcher doesn't respect quotation, it is a little
annoying.
This changes the column name matcher to allow quoted identifiers as safe
SQL string, now all results of the `quote_table_name` are regarded as
safe SQL string.
Diffstat (limited to 'activerecord/lib/active_record/connection_adapters/abstract')
| -rw-r--r-- | activerecord/lib/active_record/connection_adapters/abstract/quoting.rb | 37 |
1 files changed, 37 insertions, 0 deletions
diff --git a/activerecord/lib/active_record/connection_adapters/abstract/quoting.rb b/activerecord/lib/active_record/connection_adapters/abstract/quoting.rb index 2877530917..99e1a11f30 100644 --- a/activerecord/lib/active_record/connection_adapters/abstract/quoting.rb +++ b/activerecord/lib/active_record/connection_adapters/abstract/quoting.rb @@ -142,6 +142,43 @@ module ActiveRecord value.to_s.gsub(%r{ (/ (?: | \g<1>) \*) \+? \s* | \s* (\* (?: | \g<2>) /) }x, "") end + def column_name_matcher # :nodoc: + COLUMN_NAME + end + + def column_name_with_order_matcher # :nodoc: + COLUMN_NAME_WITH_ORDER + end + + # Regexp for column names (with or without a table name prefix). + # Matches the following: + # + # "#{table_name}.#{column_name}" + # "#{column_name}" + COLUMN_NAME = /\A(?:\w+\.)?\w+\z/i + + # Regexp for column names with order (with or without a table name prefix, + # with or without various order modifiers). Matches the following: + # + # "#{table_name}.#{column_name}" + # "#{table_name}.#{column_name} #{direction}" + # "#{table_name}.#{column_name} #{direction} NULLS FIRST" + # "#{table_name}.#{column_name} NULLS LAST" + # "#{column_name}" + # "#{column_name} #{direction}" + # "#{column_name} #{direction} NULLS FIRST" + # "#{column_name} NULLS LAST" + COLUMN_NAME_WITH_ORDER = / + \A + (?:\w+\.)? + \w+ + (?:\s+ASC|\s+DESC)? + (?:\s+NULLS\s+(?:FIRST|LAST))? + \z + /ix + + private_constant :COLUMN_NAME, :COLUMN_NAME_WITH_ORDER + private def type_casted_binds(binds) if binds.first.is_a?(Array) |