Module: JDBCHelper::SQL

Defined in:

lib/jdbc-helper/sql.rb

Defined Under Namespace

Classes: Expr, NotNilClass

Class Method Summary

• .check(expr, is_name = false) ⇒ Object

  FIXME: Naive protection for SQL Injection.

• .count(table, conds = nil) ⇒ Object

  Generates count SQL with the given conditions.

• .delete(table, conds = nil) ⇒ Object

  Generates delete SQL with the given conditions.

• .expr(str) ⇒ Object

  Prevents a string from being quoted.

• .insert(table, data_hash) ⇒ Object

  Generates insert SQL with hash.

• .insert_ignore(table, data_hash) ⇒ Object

  Generates insert ignore SQL (Non-standard syntax).

• .not_nil ⇒ Object

  Returns NotNilClass singleton object.

• .order_by(*criteria) ⇒ Object

  Generates SQL order by cluase with the given conditions.

• .replace(table, data_hash) ⇒ Object

  Generates replace SQL (Non-standard syntax).

• .select(table, conds = nil, orders = nil) ⇒ Object

  Generates select * SQL with the given conditions.

• .update(table, data_hash) ⇒ Object

  Generates update SQL with hash.

• .value(data) ⇒ Object

  Formats the given data so that it can be injected into SQL.

• .where(conds) ⇒ Object

  Generates SQL where cluase with the given conditions.

Class Method Details

.check(expr, is_name = false) ⇒ Object

FIXME: Naive protection for SQL Injection

Raises:

• (ArgumentError)

# File 'lib/jdbc-helper/sql.rb', line 91

def self.check expr, is_name = false
  return nil if expr.nil?

  tag = is_name ? 'Object name' : 'Expression'
  test = expr.gsub(/'[^']*'/, '').gsub(/`[^`]*`/, '').gsub(/"[^"]*"/, '').strip
  raise ArgumentError.new("#{tag} cannot contain (unquoted) semi-colons: #{expr}") if test.include?(';')
  raise ArgumentError.new("#{tag} cannot contain (unquoted) comments: #{expr}") if test.match(%r{--|/\*|\*/})
  raise ArgumentError.new("Unclosed quotation mark: #{expr}") if test.match(/['"`]/)
  raise ArgumentError.new("#{tag} is blank") if test.empty?

  if is_name
    raise ArgumentError.new(
      "#{tag} cannot contain (unquoted) parentheses: #{expr}") if test.match(%r{\(|\)})
  end

  return expr
end

.count(table, conds = nil) ⇒ Object

Generates count SQL with the given conditions

# File 'lib/jdbc-helper/sql.rb', line 81

def self.count table, conds = nil
  check "select count(*) from #{table} #{where_internal conds}".strip
end

.delete(table, conds = nil) ⇒ Object

Generates delete SQL with the given conditions

# File 'lib/jdbc-helper/sql.rb', line 86

def self.delete table, conds = nil
  check "delete from #{table} #{where_internal conds}".strip
end

.expr(str) ⇒ Object

Prevents a string from being quoted

# File 'lib/jdbc-helper/sql.rb', line 7

def self.expr str
  Expr.new str
end

.insert(table, data_hash) ⇒ Object

Generates insert SQL with hash

# File 'lib/jdbc-helper/sql.rb', line 49

def self.insert table, data_hash
  insert_internal 'insert', table, data_hash
end

.insert_ignore(table, data_hash) ⇒ Object

Generates insert ignore SQL (Non-standard syntax)

# File 'lib/jdbc-helper/sql.rb', line 54

def self.insert_ignore table, data_hash
  insert_internal 'insert ignore', table, data_hash
end

.not_nil ⇒ Object

Returns NotNilClass singleton object

# File 'lib/jdbc-helper/sql.rb', line 12

def self.not_nil
  NotNilClass.singleton
end

.order_by(*criteria) ⇒ Object

Generates SQL order by cluase with the given conditions.

# File 'lib/jdbc-helper/sql.rb', line 40

def self.order_by *criteria
  str = criteria.map(&:to_s).reject(&:empty?).join(', ')
  str.empty? ? str : check('order by ' + str)
end

.replace(table, data_hash) ⇒ Object

Generates replace SQL (Non-standard syntax)

# File 'lib/jdbc-helper/sql.rb', line 59

def self.replace table, data_hash
  insert_internal 'replace', table, data_hash
end

.select(table, conds = nil, orders = nil) ⇒ Object

Generates select * SQL with the given conditions

# File 'lib/jdbc-helper/sql.rb', line 72

def self.select table, conds = nil, orders = nil
  check [
    "select * from #{table}", 
    where_internal(conds),
    order_by(orders)
  ].reject(&:empty?).join(' ')
end

.update(table, data_hash) ⇒ Object

Generates update SQL with hash. :where element of the given hash is taken out to generate where clause.

# File 'lib/jdbc-helper/sql.rb', line 65

def self.update table, data_hash
  where_clause = where_internal(data_hash.delete :where)
  updates = data_hash.map { |k, v| "#{k} = #{value v}" }.join(', ')
  check "update #{table} set #{updates} #{where_clause}".strip
end

.value(data) ⇒ Object

Formats the given data so that it can be injected into SQL

# File 'lib/jdbc-helper/sql.rb', line 17

def self.value data
  case data
  when NilClass
    'null'
  when Fixnum, Bignum, Float
    data
  when JDBCHelper::SQL::Expr
    data.to_s
  when String
    "'#{esc data}'"
  else
    raise NotImplementedError.new("Unsupported datatype: #{data.class}")
  end
end

.where(conds) ⇒ Object

Generates SQL where cluase with the given conditions. Parameter can be either Hash of String.

# File 'lib/jdbc-helper/sql.rb', line 34

def self.where conds
  where_clause = where_internal conds
  where_clause.empty? ? where_clause : check(where_clause)
end