rails--rails/activerecord/lib/active_record/sanitization.rb

module ActiveRecord
  module Sanitization
    extend ActiveSupport::Concern

    module ClassMethods
      def quote_value(value, column) #:nodoc:
        connection.quote(value, column)
      end

      # Used to sanitize objects before they're used in an SQL SELECT statement. Delegates to <tt>connection.quote</tt>.
      def sanitize(object) #:nodoc:
        connection.quote(object)
      end

      protected

      # Accepts an array, hash, or string of SQL conditions and sanitizes
      # them into a valid SQL fragment for a WHERE clause.
      #   ["name='%s' and group_id='%s'", "foo'bar", 4]  returns  "name='foo''bar' and group_id='4'"
      #   { name: "foo'bar", group_id: 4 }  returns "name='foo''bar' and group_id='4'"
      #   "name='foo''bar' and group_id='4'" returns "name='foo''bar' and group_id='4'"
      def sanitize_sql_for_conditions(condition, table_name = self.table_name)
        return nil if condition.blank?

        case condition
        when Array; sanitize_sql_array(condition)
        when Hash;  sanitize_sql_hash_for_conditions(condition, table_name)
        else        condition
        end
      end
      alias_method :sanitize_sql, :sanitize_sql_for_conditions

      # Accepts an array, hash, or string of SQL conditions and sanitizes
      # them into a valid SQL fragment for a SET clause.
      #   { name: nil, group_id: 4 }  returns "name = NULL , group_id='4'"
      def sanitize_sql_for_assignment(assignments, default_table_name = self.table_name)
        case assignments
        when Array; sanitize_sql_array(assignments)
        when Hash;  sanitize_sql_hash_for_assignment(assignments, default_table_name)
        else        assignments
        end
      end

      # Accepts a hash of SQL conditions and replaces those attributes
      # that correspond to a +composed_of+ relationship with their expanded
      # aggregate attribute values.
      # Given:
      #     class Person < ActiveRecord::Base
      #       composed_of :address, class_name: "Address",
      #         mapping: [%w(address_street street), %w(address_city city)]
      #     end
      # Then:
      #     { address: Address.new("813 abc st.", "chicago") }
      #       # => { address_street: "813 abc st.", address_city: "chicago" }
      def expand_hash_conditions_for_aggregates(attrs)
        expanded_attrs = {}
        attrs.each do |attr, value|
          if aggregation = reflect_on_aggregation(attr.to_sym)
            mapping = aggregation.mapping
            mapping.each do |field_attr, aggregate_attr|
              if mapping.size == 1 && !value.respond_to?(aggregate_attr)
                expanded_attrs[field_attr] = value
              else
                expanded_attrs[field_attr] = value.send(aggregate_attr)
              end
            end
          else
            expanded_attrs[attr] = value
          end
        end
        expanded_attrs
      end

      # Sanitizes a hash of attribute/value pairs into SQL conditions for a WHERE clause.
      #   { name: "foo'bar", group_id: 4 }
      #     # => "name='foo''bar' and group_id= 4"
      #   { status: nil, group_id: [1,2,3] }
      #     # => "status IS NULL and group_id IN (1,2,3)"
      #   { age: 13..18 }
      #     # => "age BETWEEN 13 AND 18"
      #   { 'other_records.id' => 7 }
      #     # => "`other_records`.`id` = 7"
      #   { other_records: { id: 7 } }
      #     # => "`other_records`.`id` = 7"
      # And for value objects on a composed_of relationship:
      #   { address: Address.new("123 abc st.", "chicago") }
      #     # => "address_street='123 abc st.' and address_city='chicago'"
      def sanitize_sql_hash_for_conditions(attrs, default_table_name = self.table_name)
        attrs = PredicateBuilder.resolve_column_aliases self, attrs
        attrs = expand_hash_conditions_for_aggregates(attrs)

        table = Arel::Table.new(table_name, arel_engine).alias(default_table_name)
        PredicateBuilder.build_from_hash(self, attrs, table).map { |b|
          connection.visitor.accept b
        }.join(' AND ')
      end
      alias_method :sanitize_sql_hash, :sanitize_sql_hash_for_conditions

      # Sanitizes a hash of attribute/value pairs into SQL conditions for a SET clause.
      #   { status: nil, group_id: 1 }
      #     # => "status = NULL , group_id = 1"
      def sanitize_sql_hash_for_assignment(attrs, table)
        attrs.map do |attr, value|
          "#{connection.quote_table_name_for_assignment(table, attr)} = #{quote_bound_value(value)}"
        end.join(', ')
      end

      # Accepts an array of conditions. The array has each value
      # sanitized and interpolated into the SQL statement.
      #   ["name='%s' and group_id='%s'", "foo'bar", 4]  returns  "name='foo''bar' and group_id='4'"
      def sanitize_sql_array(ary)
        statement, *values = ary
        if values.first.is_a?(Hash) && statement =~ /:\w+/
          replace_named_bind_variables(statement, values.first)
        elsif statement.include?('?')
          replace_bind_variables(statement, values)
        elsif statement.blank?
          statement
        else
          statement % values.collect { |value| connection.quote_string(value.to_s) }
        end
      end

      alias_method :sanitize_conditions, :sanitize_sql

      def replace_bind_variables(statement, values) #:nodoc:
        raise_if_bind_arity_mismatch(statement, statement.count('?'), values.size)
        bound = values.dup
        c = connection
        statement.gsub('?') { quote_bound_value(bound.shift, c) }
      end

      def replace_named_bind_variables(statement, bind_vars) #:nodoc:
        statement.gsub(/(:?):([a-zA-Z]\w*)/) do
          if $1 == ':' # skip postgresql casts
            $& # return the whole match
          elsif bind_vars.include?(match = $2.to_sym)
            quote_bound_value(bind_vars[match])
          else
            raise PreparedStatementInvalid, "missing value for :#{match} in #{statement}"
          end
        end
      end

      def quote_bound_value(value, c = connection) #:nodoc:
        if value.respond_to?(:map) && !value.acts_like?(:string)
          if value.respond_to?(:empty?) && value.empty?
            c.quote(nil)
          else
            value.map { |v| c.quote(v) }.join(',')
          end
        else
          c.quote(value)
        end
      end

      def raise_if_bind_arity_mismatch(statement, expected, provided) #:nodoc:
        unless expected == provided
          raise PreparedStatementInvalid, "wrong number of bind variables (#{provided} for #{expected}) in: #{statement}"
        end
      end
    end

    # TODO: Deprecate this
    def quoted_id
      self.class.quote_value(id, column_for_attribute(self.class.primary_key))
    end
  end
end
Split out most of the AR::Base code into separate modules :cake: 2011-12-15 15:07:41 -05:00			`module ActiveRecord`
			`module Sanitization`
			`extend ActiveSupport::Concern`

			`module ClassMethods`
Don't allow `quote_value` to be called without a column Some adapters require column information to do their job properly. By enforcing the provision of the column for this internal method we ensure that those using adapters that require column information will always get the proper behavior. 2013-07-20 23:30:35 -04:00			`def quote_value(value, column) #:nodoc:`
			`connection.quote(value, column)`
Split out most of the AR::Base code into separate modules :cake: 2011-12-15 15:07:41 -05:00			`end`

			`# Used to sanitize objects before they're used in an SQL SELECT statement. Delegates to <tt>connection.quote</tt>.`
			`def sanitize(object) #:nodoc:`
			`connection.quote(object)`
			`end`

			`protected`

			`# Accepts an array, hash, or string of SQL conditions and sanitizes`
			`# them into a valid SQL fragment for a WHERE clause.`
			`# ["name='%s' and group_id='%s'", "foo'bar", 4] returns "name='foo''bar' and group_id='4'"`
1.9 Syntax related changes 2012-11-10 10:16:21 -05:00			`# { name: "foo'bar", group_id: 4 } returns "name='foo''bar' and group_id='4'"`
Split out most of the AR::Base code into separate modules :cake: 2011-12-15 15:07:41 -05:00			`# "name='foo''bar' and group_id='4'" returns "name='foo''bar' and group_id='4'"`
			`def sanitize_sql_for_conditions(condition, table_name = self.table_name)`
			`return nil if condition.blank?`

			`case condition`
			`when Array; sanitize_sql_array(condition)`
			`when Hash; sanitize_sql_hash_for_conditions(condition, table_name)`
			`else condition`
			`end`
			`end`
			`alias_method :sanitize_sql, :sanitize_sql_for_conditions`

			`# Accepts an array, hash, or string of SQL conditions and sanitizes`
			`# them into a valid SQL fragment for a SET clause.`
1.9 Syntax related changes 2012-11-10 10:16:21 -05:00			`# { name: nil, group_id: 4 } returns "name = NULL , group_id='4'"`
Fix cases where delete_records on a has_many association caused errors because of an ambiguous column name. This happened if the association model had a default scope that referenced a third table, and the third table also referenced the original table (with an identical foreign_key). Mysql requires that ambiguous columns are deambiguated by using the full table.column syntax. Postgresql and Sqlite use a different syntax for updates altogether (and don't tolerate table.name syntax), so the fix requires always including the full table.column and discarding it later for Sqlite and Postgresql. 2013-01-14 15:39:51 -05:00			`def sanitize_sql_for_assignment(assignments, default_table_name = self.table_name)`
Split out most of the AR::Base code into separate modules :cake: 2011-12-15 15:07:41 -05:00			`case assignments`
Refactor and cleanup in some ActiveRecord modules * Avoid double hash lookups in AR::Reflection when reflecting associations/aggregations * Minor cleanups: use elsif, do..end, if..else instead of unless..else * Simplify DynamicMatchers#respond_to? * Use "where" instead of scoped with conditions hash * Extract `scoped_by` method pattern regexp to constant * Extract noisy class_eval from method_missing in dynamic matchers * Extract readonly check, avoid calling column#to_s twice in persistence * Refactor predicate builder, remove some variables 2012-03-03 00:10:39 -05:00			`when Array; sanitize_sql_array(assignments)`
Fix cases where delete_records on a has_many association caused errors because of an ambiguous column name. This happened if the association model had a default scope that referenced a third table, and the third table also referenced the original table (with an identical foreign_key). Mysql requires that ambiguous columns are deambiguated by using the full table.column syntax. Postgresql and Sqlite use a different syntax for updates altogether (and don't tolerate table.name syntax), so the fix requires always including the full table.column and discarding it later for Sqlite and Postgresql. 2013-01-14 15:39:51 -05:00			`when Hash; sanitize_sql_hash_for_assignment(assignments, default_table_name)`
Refactor and cleanup in some ActiveRecord modules * Avoid double hash lookups in AR::Reflection when reflecting associations/aggregations * Minor cleanups: use elsif, do..end, if..else instead of unless..else * Simplify DynamicMatchers#respond_to? * Use "where" instead of scoped with conditions hash * Extract `scoped_by` method pattern regexp to constant * Extract noisy class_eval from method_missing in dynamic matchers * Extract readonly check, avoid calling column#to_s twice in persistence * Refactor predicate builder, remove some variables 2012-03-03 00:10:39 -05:00			`else assignments`
Split out most of the AR::Base code into separate modules :cake: 2011-12-15 15:07:41 -05:00			`end`
			`end`

Revert "Removing composed_of from ActiveRecord." This reverts commit 14fc8b34521f8354a17e50cd11fa3f809e423592. Reason: we need to discuss a better path from this removal. Conflicts: activerecord/lib/active_record/reflection.rb activerecord/test/cases/base_test.rb activerecord/test/models/developer.rb 2012-07-27 17:21:29 -04:00			`# Accepts a hash of SQL conditions and replaces those attributes`
			`# that correspond to a +composed_of+ relationship with their expanded`
			`# aggregate attribute values.`
			`# Given:`
			`# class Person < ActiveRecord::Base`
1.9 Syntax related changes 2012-11-10 10:16:21 -05:00			`# composed_of :address, class_name: "Address",`
			`# mapping: [%w(address_street street), %w(address_city city)]`
Revert "Removing composed_of from ActiveRecord." This reverts commit 14fc8b34521f8354a17e50cd11fa3f809e423592. Reason: we need to discuss a better path from this removal. Conflicts: activerecord/lib/active_record/reflection.rb activerecord/test/cases/base_test.rb activerecord/test/models/developer.rb 2012-07-27 17:21:29 -04:00			`# end`
			`# Then:`
1.9 Syntax related changes 2012-11-10 10:16:21 -05:00			`# { address: Address.new("813 abc st.", "chicago") }`
			`# # => { address_street: "813 abc st.", address_city: "chicago" }`
Revert "Removing composed_of from ActiveRecord." This reverts commit 14fc8b34521f8354a17e50cd11fa3f809e423592. Reason: we need to discuss a better path from this removal. Conflicts: activerecord/lib/active_record/reflection.rb activerecord/test/cases/base_test.rb activerecord/test/models/developer.rb 2012-07-27 17:21:29 -04:00			`def expand_hash_conditions_for_aggregates(attrs)`
			`expanded_attrs = {}`
			`attrs.each do \|attr, value\|`
			`if aggregation = reflect_on_aggregation(attr.to_sym)`
			`mapping = aggregation.mapping`
			`mapping.each do \|field_attr, aggregate_attr\|`
			`if mapping.size == 1 && !value.respond_to?(aggregate_attr)`
			`expanded_attrs[field_attr] = value`
			`else`
			`expanded_attrs[field_attr] = value.send(aggregate_attr)`
			`end`
			`end`
			`else`
			`expanded_attrs[attr] = value`
			`end`
			`end`
			`expanded_attrs`
			`end`

Split out most of the AR::Base code into separate modules :cake: 2011-12-15 15:07:41 -05:00			`# Sanitizes a hash of attribute/value pairs into SQL conditions for a WHERE clause.`
1.9 Syntax related changes 2012-11-10 10:16:21 -05:00			`# { name: "foo'bar", group_id: 4 }`
Split out most of the AR::Base code into separate modules :cake: 2011-12-15 15:07:41 -05:00			`# # => "name='foo''bar' and group_id= 4"`
1.9 Syntax related changes 2012-11-10 10:16:21 -05:00			`# { status: nil, group_id: [1,2,3] }`
Split out most of the AR::Base code into separate modules :cake: 2011-12-15 15:07:41 -05:00			`# # => "status IS NULL and group_id IN (1,2,3)"`
1.9 Syntax related changes 2012-11-10 10:16:21 -05:00			`# { age: 13..18 }`
Split out most of the AR::Base code into separate modules :cake: 2011-12-15 15:07:41 -05:00			`# # => "age BETWEEN 13 AND 18"`
			`# { 'other_records.id' => 7 }`
			# # => "`other_records`.`id` = 7"
1.9 Syntax related changes 2012-11-10 10:16:21 -05:00			`# { other_records: { id: 7 } }`
Split out most of the AR::Base code into separate modules :cake: 2011-12-15 15:07:41 -05:00			# # => "`other_records`.`id` = 7"
			`# And for value objects on a composed_of relationship:`
1.9 Syntax related changes 2012-11-10 10:16:21 -05:00			`# { address: Address.new("123 abc st.", "chicago") }`
Split out most of the AR::Base code into separate modules :cake: 2011-12-15 15:07:41 -05:00			`# # => "address_street='123 abc st.' and address_city='chicago'"`
			`def sanitize_sql_hash_for_conditions(attrs, default_table_name = self.table_name)`
resolve aliases before passing the hash to the predicate builder 2013-07-02 14:12:17 -04:00			`attrs = PredicateBuilder.resolve_column_aliases self, attrs`
Revert "Removing composed_of from ActiveRecord." This reverts commit 14fc8b34521f8354a17e50cd11fa3f809e423592. Reason: we need to discuss a better path from this removal. Conflicts: activerecord/lib/active_record/reflection.rb activerecord/test/cases/base_test.rb activerecord/test/models/developer.rb 2012-07-27 17:21:29 -04:00			`attrs = expand_hash_conditions_for_aggregates(attrs)`

Pass in the model class rather than engine In some circumstances engine was Arel::Table.engine which for separate reasons was an ActiveRecord::Model::DeprecationProxy, which caused a deprecation warning. In any case, we want the actual model class here, since we want to use it to infer information about associations. 2012-09-12 19:12:25 -04:00			`table = Arel::Table.new(table_name, arel_engine).alias(default_table_name)`
Fix bug in ActiveRecord::Sanitization#sanitize_sql_hash_for_conditions Fixing CHANGLOG description Remove extra line. Remove blank lines. 2013-04-25 20:20:33 -04:00			`PredicateBuilder.build_from_hash(self, attrs, table).map { \|b\|`
Split out most of the AR::Base code into separate modules :cake: 2011-12-15 15:07:41 -05:00			`connection.visitor.accept b`
			`}.join(' AND ')`
			`end`
			`alias_method :sanitize_sql_hash, :sanitize_sql_hash_for_conditions`

			`# Sanitizes a hash of attribute/value pairs into SQL conditions for a SET clause.`
1.9 Syntax related changes 2012-11-10 10:16:21 -05:00			`# { status: nil, group_id: 1 }`
Split out most of the AR::Base code into separate modules :cake: 2011-12-15 15:07:41 -05:00			`# # => "status = NULL , group_id = 1"`
Fix cases where delete_records on a has_many association caused errors because of an ambiguous column name. This happened if the association model had a default scope that referenced a third table, and the third table also referenced the original table (with an identical foreign_key). Mysql requires that ambiguous columns are deambiguated by using the full table.column syntax. Postgresql and Sqlite use a different syntax for updates altogether (and don't tolerate table.name syntax), so the fix requires always including the full table.column and discarding it later for Sqlite and Postgresql. 2013-01-14 15:39:51 -05:00			`def sanitize_sql_hash_for_assignment(attrs, table)`
Split out most of the AR::Base code into separate modules :cake: 2011-12-15 15:07:41 -05:00			`attrs.map do \|attr, value\|`
Fix cases where delete_records on a has_many association caused errors because of an ambiguous column name. This happened if the association model had a default scope that referenced a third table, and the third table also referenced the original table (with an identical foreign_key). Mysql requires that ambiguous columns are deambiguated by using the full table.column syntax. Postgresql and Sqlite use a different syntax for updates altogether (and don't tolerate table.name syntax), so the fix requires always including the full table.column and discarding it later for Sqlite and Postgresql. 2013-01-14 15:39:51 -05:00			`"#{connection.quote_table_name_for_assignment(table, attr)} = #{quote_bound_value(value)}"`
Split out most of the AR::Base code into separate modules :cake: 2011-12-15 15:07:41 -05:00			`end.join(', ')`
			`end`

			`# Accepts an array of conditions. The array has each value`
			`# sanitized and interpolated into the SQL statement.`
			`# ["name='%s' and group_id='%s'", "foo'bar", 4] returns "name='foo''bar' and group_id='4'"`
			`def sanitize_sql_array(ary)`
			`statement, *values = ary`
			`if values.first.is_a?(Hash) && statement =~ /:\w+/`
			`replace_named_bind_variables(statement, values.first)`
			`elsif statement.include?('?')`
			`replace_bind_variables(statement, values)`
			`elsif statement.blank?`
			`statement`
			`else`
			`statement % values.collect { \|value\| connection.quote_string(value.to_s) }`
			`end`
			`end`

			`alias_method :sanitize_conditions, :sanitize_sql`

			`def replace_bind_variables(statement, values) #:nodoc:`
			`raise_if_bind_arity_mismatch(statement, statement.count('?'), values.size)`
			`bound = values.dup`
			`c = connection`
			`statement.gsub('?') { quote_bound_value(bound.shift, c) }`
			`end`

			`def replace_named_bind_variables(statement, bind_vars) #:nodoc:`
			`statement.gsub(/(:?):([a-zA-Z]\w*)/) do`
			`if $1 == ':' # skip postgresql casts`
			`$& # return the whole match`
			`elsif bind_vars.include?(match = $2.to_sym)`
			`quote_bound_value(bind_vars[match])`
			`else`
			`raise PreparedStatementInvalid, "missing value for :#{match} in #{statement}"`
			`end`
			`end`
			`end`

			`def quote_bound_value(value, c = connection) #:nodoc:`
			`if value.respond_to?(:map) && !value.acts_like?(:string)`
			`if value.respond_to?(:empty?) && value.empty?`
			`c.quote(nil)`
			`else`
			`value.map { \|v\| c.quote(v) }.join(',')`
			`end`
			`else`
			`c.quote(value)`
			`end`
			`end`

			`def raise_if_bind_arity_mismatch(statement, expected, provided) #:nodoc:`
			`unless expected == provided`
			`raise PreparedStatementInvalid, "wrong number of bind variables (#{provided} for #{expected}) in: #{statement}"`
			`end`
			`end`
			`end`

			`# TODO: Deprecate this`
Remove instance level quote_value method. This method is private and also exists in class method. 2012-07-09 12:31:27 -04:00			`def quoted_id`
			`self.class.quote_value(id, column_for_attribute(self.class.primary_key))`
Split out most of the AR::Base code into separate modules :cake: 2011-12-15 15:07:41 -05:00			`end`
			`end`
			`end`