Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

support #$ interpolation for dynamic sql such as table names, order clause, etc

See original GitHub issue

Love relate and the SqlResult parsing is much cleaner than anorm. One thing missing is #$ interpolation which is supported by anorm and slick. Its helpful for use cases like dynamic table names, order clauses, etc:

val accountId = 2
val orderCol = "foo"
val orderDir = "desc"
sql"select name, sum(foo) as foo, sum(bar) as bar from table where account_id = $account_id group by name order by #$orderCol #$orderDir"

I have a quick and dirty commit which unblocks me for now, would remove this for official version if/when supported: https://github.com/xadrnd/relate/commit/40e176617280e836ab5a6c6a7babbef3e04a47e5

Thanks!

Issue Analytics

State:
Created 9 years ago
Comments:5 (2 by maintainers)

Top GitHub Comments

1reaction

pauldrapercommented, Mar 12, 2015

@rfranco, that is actually already implemented 😉 InterpolatedQuery is a MultiParameter, which is a Parameter.

@rbanikaz, see https://github.com/lucidsoftware/relate/wiki/Query-Interpolation#query-composition.

// interpolate (my preference)
val sql1 = sql"SELECT * FROM users"
val sql2 = sql"$sql1 LIMIT 5"

// concatenate
val sql3 = sql"SELECT * FROM users"
val sql4 = sql" LIMIT 5"
val sql5 = sql3 + sql4

(FYI, if for some reason you aren’t constructing your queries with literal strings, an arbitrary string can be converted to a query by calling .toSql on it. Of course, you should only do this with trusted data.)

I like this approach to interpolation, as it encodes the semantics of the data – text data, or SQL query – in the type. It avoids the “String as universal data type” smell, and it makes accidental SQL injection more difficult.

Let me know if you find this reasonable.

0reactions

rbanikazcommented, Mar 12, 2015

Cool thanks! I didn’t know about the toSql, that’s helpful at least it covers the use case.

I do think the #$ is nice, I didn’t spend much time going through your codebase, but I will go ahead and submit the PR, it will be great if you take a look I will be happy to respond to comments…

Cheers!

Top Results From Across the Web

How to set table name in dynamic SQL query? - Stack Overflow

Open to SQL injection. All you need to do is pass a bad @TableName parameter such as 'sys.databaeses; Alter Server Role sysadmin Add...

7 Performing SQL Operations with Native Dynamic SQL

You can build statements where you do not know table names, WHERE clauses, and other ... and extra features such as support for...

Placeholder Text (String Interpolation) in T-SQL

Dynamic SQL often involves creating queries by combining strings of SQL code with data from the database. Before we start, I'm going to...

Basic module usage — Psycopg 2.9.5 documentation

Passing parameters to an SQL statement happens in functions such as ... dynamically SQL queries (for instance choosing dynamically a table name) you...

Postgres plpgsql - Using a variable inside of a dynamic create ...

You cannot use parameters for table/column names - that's because Postgres needs to be able to parse query on compiling the dynamic SQL...