Hi, after a long time things are going more stable now, so I would like to be more focused on forum and open source. I’m working on next release candidate for one of my libraries and I would need a small help …
I’m working on generating SQL
code. It would be a little similar to fragment
in Ecto.Query
API, but standalone i.e. it would generate a whole query.
See: Ecto.Adapters.SQL.query/4
The things I need are escaoe and/or validate functions for passed values. It should allow literally any name/value supported by PostgreSQL
. I want to validate such parameter types:
- Enum name
- Enum value
- Function name
-
PostgreSQL
schema or prefix inecto
naming - Table column name
- Table name
In one of use cases I’m expecting Enum
value to be passed by user
, but most probably somebody would found also other use cases for rest of them, so for sure I would like to perform a proper escape or validation before generating SQL
code and ensure that there would be no surprise like SQL Injection
problem.
Feel free to link to specific code if it’s solved in other project already. I know that ecto
avoids SQL Injection
, but I had a trouble searching for it in its source code.
What I would like to have is something like:
defmodule Example do
def sample(fragment, args) do
escaped_args = escape(args)
generate_sql(fragment, escaped_args)
end
defp escape(args) when is_list(args), do: Enum.map(args, &escape/1)
defp escape(arg) do
# Here goes your proposal
end
defp generate_sql(fragment, escaped_args) do
# some code goes here
end
end
Also alternative version:
defmodule Example do
def sample(fragment, table_name, col_name, …) do
validated_args = validate(table: table_name, column: col_name, …)
generate_sql(fragment, validated_args)
end
defp validate(args) when is_list(args), do: Enum.map(args, &validate1)
defp validate({:table, table_name}) do
# Here goes your proposal
end
defp generate_sql(fragment, escaped_args) do
# some code goes here
end
end
I’m open to your suggestions.