Path: | doc/release_notes/4.32.0.txt |
Last Update: | Sun Oct 02 21:06:53 +0000 2016 |
DB[:albums].where("name > 'N'")
By default Sequel will treat "name > ‘N’" as SQL code. However, this makes it much easier to introduce SQL injection:
# SQL Injection vulnerability in default Sequel DB[:albums].where("name > 'params[:letter]'")
Sequel does support using placeholders when using literal strings:
# Safe in default Sequel DB[:albums].where("name > ?", params[:letter])
However, if you forget to use placeholders, you can end up with SQL injection. Accidental usage of filter strings derived from user input as literal SQL code is probably the most common SQL injection vector in applications using Sequel.
With the no_auto_literal_strings extension, passing a plain string as the first or only argument to a filter method raises an exception. If you want to use literal SQL code, you have to do so explicitly:
DB[:albums].where(Sequel.lit("name > 'N'"))
You can also specify placeholders when using Sequel.lit:
DB[:albums].where(Sequel.lit("name > ?", params[:letter]))
Note that in many cases, you can avoid using literal SQL strings completely:
DB[:albums].where{|v| v.name > params[:letter]}
Foo.one_through_one :bar foo = Foo[1] foo.bar = Bar[2] foo.bar = nil
This will check the current entry in the join table, and based on the argument and the current entry, run a DELETE, INSERT, or UPDATE query, or take no action if the join table is already in the correct state.
Model.default_association_options = {:read_only=>true}
Which makes associations not create modification methods by default. You could still create the modification methods by passing :read_only=>true when creating association.
artist = Artist.all.first # Loads all albums for all of the artists, # and all tracks for all of those albums artist.albums(:eager=>:tracks) # Reload the artists association for all artists artist.albums(:eager_reload=>true)
You can also use the :eager option for an eager loading callback:
# Eagerly load the albums with names starting with A-M artist.albums(:eager=>proc{|ds| ds.where(:name > 'N')})
In Sequel <4.31.0, if you provided nil, it would either raise an exception immediately if :delay_pks was not set, or on saving if :delay_pks was set.
In Sequel 4.31.0, if :delay_pks was not set, it would remove all associated rows. If :delay_pks was set, it would do nothing.
You can now set :association_pks_nil=>:remove to remove all associated values on nil, or :association_pks_nil=>:ignore to ignore a nil value passed to the method. Without :association_pks_nil set, an exception will be raised.
DB[:a].join(:b, :a_id=>:id).delete_from(:a, :b).delete # DELETE a, b FROM a INNER JOIN b ON (b.a_id = a.id)