On Jun 8, 3:55 pm, Michael Lang <[email protected]> wrote: > > I would certainly recommend against this approach. If you do it > > anyway, you'll have to use a Rack middleware that does something like: > > Seems more complicated than needs to be...I use Padrino/Sinatra > fronted by Passenger under Apache 2, which will only execute > single-threaded anyway (that is one connection per client) and the > following works for me: > > Datacenter.controllers :reports, :parent => :schema do > before do > @current_schema = params[:schema_id].to_sym > use_schema @current_schema > end > > use_schema is just a helper method defined as: > > def use_schema(schema) > DB.execute("use #{schema}") > end > > I have about 30 users concurrently under this approach and there > hasn't been any issues with schemas getting inadvertently switched. > Works correctly with AJAX calls, too.
Two things about your approach: 1) It only works for single threaded code, and Sequel is multi- threaded by default. 2) It is vulnerable to denial of service since you are interning a user defined string. On most Sequel adapters, literalizing symbols that came from the user may result in SQL injection, though Sequel's PostgreSQL support handles escaping embedded double quotes in identifiers. I don't consider this a bug in Sequel as symbols should be trusted (since if they are not, you are at least vulnerable to denial of service). For compatibility purposes, I'm happy to accept patches to handle identifier quote escaping when quoting for any adapters that don't currently do so. Jeremy -- You received this message because you are subscribed to the Google Groups "sequel-talk" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/sequel-talk?hl=en.
