module ActiveRecord::ConnectionAdapters::Quoting

Constants

COLUMN_NAME

Regexp for column names (with or without a table name prefix). Matches the following:

"#{table_name}.#{column_name}"
"#{column_name}"
COLUMN_NAME_WITH_ORDER

Regexp for column names with order (with or without a table name prefix, with or without various order modifiers). Matches the following:

"#{table_name}.#{column_name}"
"#{table_name}.#{column_name} #{direction}"
"#{table_name}.#{column_name} #{direction} NULLS FIRST"
"#{table_name}.#{column_name} NULLS LAST"
"#{column_name}"
"#{column_name} #{direction}"
"#{column_name} #{direction} NULLS FIRST"
"#{column_name} NULLS LAST"

Public Instance Methods

quote(value) click to toggle source

Quotes the column value to help prevent SQL injection attacks.

# File lib/active_record/connection_adapters/abstract/quoting.rb, line 11
def quote(value)
  case value
  when String, Symbol, ActiveSupport::Multibyte::Chars
    "'#{quote_string(value.to_s)}'"
  when true       then quoted_true
  when false      then quoted_false
  when nil        then "NULL"
  # BigDecimals need to be put in a non-normalized form and quoted.
  when BigDecimal then value.to_s("F")
  when Numeric, ActiveSupport::Duration then value.to_s
  when Type::Binary::Data then quoted_binary(value)
  when Type::Time::Value then "'#{quoted_time(value)}'"
  when Date, Time then "'#{quoted_date(value)}'"
  when Class      then "'#{value}'"
  else raise TypeError, "can't quote #{value.class.name}"
  end
end
quote_bound_value(value) click to toggle source

Quote a value to be used as a bound parameter of unknown type. For example, MySQL might perform dangerous castings when comparing a string to a number, so this method will cast numbers to string.

# File lib/active_record/connection_adapters/abstract/quoting.rb, line 50
def quote_bound_value(value)
  quote(value)
end
quote_column_name(column_name) click to toggle source

Quotes the column name. Defaults to no quoting.

# File lib/active_record/connection_adapters/abstract/quoting.rb, line 74
def quote_column_name(column_name)
  column_name.to_s
end
quote_string(s) click to toggle source

Quotes a string, escaping any ‘ (single quote) and \ (backslash) characters.

# File lib/active_record/connection_adapters/abstract/quoting.rb, line 69
def quote_string(s)
  s.gsub("\\", '\&\&').gsub("'", "''") # ' (for ruby-mode)
end
quote_table_name(table_name) click to toggle source

Quotes the table name. Defaults to column name quoting.

# File lib/active_record/connection_adapters/abstract/quoting.rb, line 79
def quote_table_name(table_name)
  quote_column_name(table_name)
end
quote_table_name_for_assignment(table, attr) click to toggle source

Override to return the quoted table name for assignment. Defaults to table quoting.

This works for mysql2 where table.column can be used to resolve ambiguity.

We override this in the sqlite3 and postgresql adapters to use only the column name (as per syntax requirements).

# File lib/active_record/connection_adapters/abstract/quoting.rb, line 91
def quote_table_name_for_assignment(table, attr)
  quote_table_name("#{table}.#{attr}")
end
quoted_date(value) click to toggle source

Quote date/time values for use in SQL input. Includes microseconds if the value is a Time responding to usec.

# File lib/active_record/connection_adapters/abstract/quoting.rb, line 122
def quoted_date(value)
  if value.acts_like?(:time)
    if ActiveRecord.default_timezone == :utc
      value = value.getutc if !value.utc?
    else
      value = value.getlocal
    end
  end

  result = value.to_fs(:db)
  if value.respond_to?(:usec) && value.usec > 0
    result << "." << sprintf("%06d", value.usec)
  else
    result
  end
end
quoted_false() click to toggle source
# File lib/active_record/connection_adapters/abstract/quoting.rb, line 112
def quoted_false
  "FALSE"
end
quoted_true() click to toggle source
# File lib/active_record/connection_adapters/abstract/quoting.rb, line 104
def quoted_true
  "TRUE"
end
type_cast(value) click to toggle source

Cast a value to a type that the database understands. For example, SQLite does not understand dates, so this method will convert a Date to a String.

# File lib/active_record/connection_adapters/abstract/quoting.rb, line 32
def type_cast(value)
  case value
  when Symbol, ActiveSupport::Multibyte::Chars, Type::Binary::Data
    value.to_s
  when true       then unquoted_true
  when false      then unquoted_false
  # BigDecimals need to be put in a non-normalized form and quoted.
  when BigDecimal then value.to_s("F")
  when nil, Numeric, String then value
  when Type::Time::Value then quoted_time(value)
  when Date, Time then quoted_date(value)
  else raise TypeError, "can't cast #{value.class.name}"
  end
end
unquoted_false() click to toggle source
# File lib/active_record/connection_adapters/abstract/quoting.rb, line 116
def unquoted_false
  false
end
unquoted_true() click to toggle source
# File lib/active_record/connection_adapters/abstract/quoting.rb, line 108
def unquoted_true
  true
end

Private Instance Methods

lookup_cast_type(sql_type) click to toggle source
# File lib/active_record/connection_adapters/abstract/quoting.rb, line 216
def lookup_cast_type(sql_type)
  type_map.lookup(sql_type)
end
type_casted_binds(binds) click to toggle source
# File lib/active_record/connection_adapters/abstract/quoting.rb, line 206
def type_casted_binds(binds)
  binds.map do |value|
    if ActiveModel::Attribute === value
      type_cast(value.value_for_database)
    else
      type_cast(value)
    end
  end
end