aboutsummaryrefslogtreecommitdiffstats
path: root/activerecord/lib/active_record/sanitization.rb
Commit message (Collapse)AuthorAgeFilesLines
* Refactor `disallow_raw_sql!` to avoid `split(/\s*,\s*/)` to order argsRyuta Kamizono2019-06-091-2/+1
| | | | | `split(/\s*,\s*/)` to order args and then `permit.match?` one by one is much slower than `permit.match?` once.
* Allow quoted identifier string as safe SQL stringRyuta Kamizono2019-06-061-2/+31
| | | | | | | | | | | | | Currently `posts.title` is regarded as a safe SQL string, but `"posts"."title"` (it is a result of `quote_table_name("posts.title")`) is regarded as an unsafe SQL string even though a result of `quote_table_name` should obviously be regarded as a safe SQL string, since the column name matcher doesn't respect quotation, it is a little annoying. This changes the column name matcher to allow quoted identifiers as safe SQL string, now all results of the `quote_table_name` are regarded as safe SQL string.
* Quote empty ranges like other empty enumerablesPatrick Rebsch2019-03-071-2/+3
|
* Remove deprecated `expand_hash_conditions_for_aggregates`Rafael Mendonça França2019-01-171-37/+0
|
* Permit list usage cleanup and clearer documentationKevin Deisz2018-08-271-2/+2
|
* Convert over the rest of the whitelist referencesKevin Deisz2018-08-241-2/+2
|
* Merge pull request #31821 from composerinteralia/extra-to_sGeorge Claghorn2018-01-291-1/+1
|\ | | | | Avoid extra calls to to_s
| * Avoid extra calls to to_sDaniel Colson2018-01-291-1/+1
| | | | | | | | | | | | | | With #31615 `type_for_attribute` accepts either a symbol as well as a string. `has_attribute?` and `attribute_alias` also accept either. Since these methods call `to_s` on the argument, we no longer need to do that at the call site.
* | Deprecate `expand_hash_conditions_for_aggregates`Ryuta Kamizono2018-01-291-0/+1
|/ | | | | This can not expand an array of aggregated objects correctly, and is no longer used internally since 159b21b5.
* Allow expanding an array of `composed_of` objectsRyuta Kamizono2018-01-291-6/+4
|
* Fix not expanded problem when passing an Array object as argument to the ↵orekyuu2018-01-261-3/+7
| | | | | | | | | | | | | | where method using composed_of column. Fixes #31723 ``` david_balance = customers(:david).balance Customer.where(balance: [david_balance]).to_sql # Before: WHERE `customers`.`balance` = NULL # After : WHERE `customers`.`balance` = 50 ```
* Make `sanitize_sql_` methods publicyuuji.yaginuma2017-12-131-125/+124
| | | | | | | | Currently, sanitize methods are private. So need `send` to use from outside class. However, sometimes want to use sanitize methods from outside Class when want to generate SQL including multiple tables like search. In order to avoid using `send` in such a case, changed methods to public.
* Merge pull request #27947 from mastahyeti/unsafe_raw_sqlMatthew Draper2017-11-141-1/+11
|\ | | | | | | Disallow raw SQL in dangerous AR methods
| * push order arg checks down to allow for bindsBen Toews2017-11-091-1/+5
| |
| * deal with Array arguments to #orderBen Toews2017-11-091-0/+6
| |
* | Properly cast input in `update_all`Sean Griffin2017-11-131-1/+2
|/ | | | | | | | | | | | | | The documentation claims that given values go through "normal AR type casting and serialization", which to me implies `serialize(cast(value))`, not just serialization. The docs were changed to use this wording in #22492. The tests I cited in that PR (which is the same test modified in this commit), is worded in a way that implies it should be using `cast` as well. It's possible that I originally meant "normal type casting" to imply just the call to `serialize`, but given that `update_all(archived: params['archived'])` seems to be pretty common, I'm inclined to make this change as long as no tests are broken from it.
* Remove deprecated method `#sanitize_conditions`Rafael Mendonça França2017-10-231-2/+0
|
* Remove deprecated support to `quoted_id` when typecasting an Active Record ↵Rafael Mendonça França2017-10-231-5/+0
| | | | object
* Use frozen-string-literal in ActiveRecordKir Shatrov2017-07-191-0/+2
|
* Revert "Merge pull request #29540 from kirs/rubocop-frozen-string"Matthew Draper2017-07-021-1/+0
| | | | | This reverts commit 3420a14590c0e6915d8b6c242887f74adb4120f9, reversing changes made to afb66a5a598ce4ac74ad84b125a5abf046dcf5aa.
* Enforce frozen string in RubocopKir Shatrov2017-07-011-0/+1
|
* Deprecate using `#quoted_id` in quotingRyuta Kamizono2017-02-241-2/+1
| | | | | Originally `quoted_id` was used in legacy quoting mechanism. Now we use type casting mechanism for that. Let's deprecate `quoted_id`.
* `self.` is not needed when calling its own instance methodAkira Matsuda2017-01-051-1/+1
| | | | Actually, private methods cannot be called with `self.`, so it's not just redundant, it's a bad habit in Ruby
* Privatize unneededly protected methods in Active RecordAkira Matsuda2016-12-241-13/+13
|
* let Regexp#match? be globally availableXavier Noria2016-10-271-1/+0
| | | | | | Regexp#match? should be considered to be part of the Ruby core library. We are emulating it for < 2.4, but not having to require the extension is part of the illusion of the emulation.
* Fix broken comments indentation caused by rubocop auto-correct [ci skip]Ryuta Kamizono2016-09-141-80/+80
| | | | | | All indentation was normalized by rubocop auto-correct at 80e66cc4d90bf8c15d1a5f6e3152e90147f00772. But comments was still kept absolute position. This commit aligns comments with method definitions for consistency.
* Deprecate `sanitize_conditions`. Use `sanitize_sql` insteadRyuta Kamizono2016-08-181-2/+3
| | | | Because `sanitize_conditions` protected method is only used in one place.
* Merge pull request #26000 from kamipo/remove_sanitizeRafael França2016-08-161-8/+1
|\ | | | | Remove internal `sanitize` method
| * Remove internal `sanitize` methodRyuta Kamizono2016-07-311-8/+1
| | | | | | | | | | Currently internal `sanitize`/`quote_value` method is only used for `quoted_id`. Simply it is enough to use `connection.quote` public API instead.
* | normalizes indentation and whitespace across the projectXavier Noria2016-08-061-90/+90
| |
* | applies new string literal convention in activerecord/libXavier Noria2016-08-061-7/+7
|/ | | | | The current code base is not uniform. After some discussion, we have chosen to go with double quotes by default.
* adds missing requiresXavier Noria2016-07-241-0/+2
|
* systematic revision of =~ usage in ARXavier Noria2016-07-231-1/+1
| | | | | Where appropriatei, prefer the more concise Regexp#match?, String#include?, String#start_with?, or String#end_with?
* Fix grammar `a` to `an` [ci skip]Ryuta Kamizono2016-02-131-1/+1
|
* quoted_id is not public API.Rafael Mendonça França2016-01-011-1/+1
| | | | | It was made public by mistake in https://github.com/rails/rails/commit/539b69e0.
* Add test cases for `#sanitize_sql_array` with named_bind_variablesyui-knk2015-11-091-0/+9
| | | | | And add code examples to `sanitize_sql_for_conditions`, `sanitize_sql_for_assignment`, and `sanitize_sql_array`.
* Define `sanitize_sql_for_order` for AR and use it inside `preprocess_order_args`yui-knk2015-11-021-0/+16
| | | | This commit follows up of 6a6dbb4c51fb0c58ba1a810eaa552774167b758a.
* applies new doc guidelines to Active Record.Yves Senn2015-10-141-3/+4
| | | | | | | | | | | | | | | | | | | The focus of this change is to make the API more accessible. References to method and classes should be linked to make it easy to navigate around. This patch makes exzessiv use of `rdoc-ref:` to provide more readable docs. This makes it possible to document `ActiveRecord::Base#save` even though the method is within a separate module `ActiveRecord::Persistence`. The goal here is to bring the API closer to the actual code that you would write. This commit only deals with Active Record. The other gems will be updated accordingly but in different commits. The pass through Active Record is not completely finished yet. A follow up commit will change the spots I haven't yet had the time to update. /cc @fxn
* [ci skip] Update docs of `AR::Sanitization`yui-knk2015-09-261-19/+56
| | | | | | | | | * add % style prepared statement and string examples for `sanitize_sql_for_conditions` * add array and string examples for `sanitize_sql_for_assignment` * add examples for `sanitize_sql_like` * add % style prepared statement example for `sanitize_sql_array` * align spaces of exampl code
* Remove not used argument `table_name` of `sanitize_sql_for_conditions`yui-knk2015-09-231-1/+1
| | | | | | | | | | This argument was needen when `sanitize_sql_for_conditions` internally called `sanitize_sql_hash_for_conditions`. But `sanitize_sql_hash_for_conditions` was deprecated (https://github.com/rails/rails/commit/eb921000a11bc87a3b001164fc367b84aee584c5) and deleted (https://github.com/rails/rails/commit/3a59dd212315ebb9bae8338b98af259ac00bbef3) (https://github.com/rails/rails/commit/4bd089f1d93fa168b0ae17dd8c92a5157a2537d7).
* Use block variable instead of globalRoque Pinel2015-06-091-2/+2
|
* remove documentation for sanitize_sql_for_conditions with a HashMatthew Rudy Jacobs2015-05-121-2/+1
|
* Remove call to sanitize_sql_hash_for_conditionsMatthew Rudy Jacobs2015-05-121-1/+0
| | | | This method has already been removed.
* `type_cast_for_database` -> `serialize`Sean Griffin2015-02-171-1/+1
|
* Stop passing a column to `quote` when finding by AR modelsSean Griffin2015-01-101-5/+2
| | | | | | | I'm planning on deprecating the column argument to mirror the deprecation in [arel]. [arel]: https://github.com/rails/arel/commit/6160bfbda1d1781c3b08a33ec4955f170e95be11
* Remove deprecated `sanitize_sql_hash_for_conditions`Rafael Mendonça França2015-01-041-29/+0
|
* Stop using the column for type information in sanitizationSean Griffin2015-01-011-5/+4
| | | | | | As we move towards removing the types from the column objects, any remaining places which have access to richer type information should be using it.
* Remove `klass` and `arel_table` as a dependency of `PredicateBuilder`Sean Griffin2014-12-261-1/+1
| | | | | | | | | | | | | | | This class cares far too much about the internals of other parts of Active Record. This is an attempt to break out a meaningful object which represents the needs of the predicate builder. I'm not fully satisfied with the name, but the general concept is an object which represents a table, the associations to/from that table, and the types associated with it. Many of these exist at the `ActiveRecord::Base` class level, not as properties of the table itself, hence the need for another object. Currently it provides these by holding a reference to the class, but that will likely change in the future. This allows the predicate builder to remain wholy concerned with building predicates. /cc @mrgilman
* Refactor `PredicateBuilder` from singleton to instanceMelanie Gilman2014-12-021-3/+4
|
* Stop using `Arel::Table.engine`Sean Griffin2014-11-291-1/+1
| | | | | | | | | | | | | We never actually make use of it on the table, since we're constructing the select manager manually. It looks like if we ever actually were grabbing it from the table, we're grossly misusing it since it's meant to vary by AR class. Its existence on `Arel::Table` appears to be purely for convenience methods that are never used outside of tests. However, in production code it just complicates construction of the tables on the rails side, and the plan is to remove it from `Arel::Table` entirely. I'm not convinced it needs to live on `SelectManager`, etc either.
generated by cgit v1.2.3 (git 2.25.1) at 2024-06-25 06:46:01 +0000