On Thursday, May 2, 2019 at 2:54:11 PM UTC-7, Ryan Kingston wrote: > > I have a query like > SELECT... > FROM ( > SELECT ... > FROM :dynamic_table_name > ) a > > If I call DB.fetch(sql, dyanmic_table_name: dynamic_table_name) then > Sequel generates the following sql > SELECT... > FROM ( > SELECT ... > FROM 'dynamic_table_name' > ) a > > which is a syntax error because table names aren't supposed to have quotes > around them. > > Do I need to manually verify the table name is safe and insert it with > string interpolation or does Sequel have a function that will do this for > me? >
You should manually verify the table name, because using untrusted table names is a recipe for disaster. However, if you have confirmed the table name is trusted, you can do: DB.fetch(sql, dynamic_table_name: Sequel.identifier(dynamic_table_name)) This will use an SQL identifier instead of an SQL string. Thanks, Jeremy -- You received this message because you are subscribed to the Google Groups "sequel-talk" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at https://groups.google.com/group/sequel-talk. For more options, visit https://groups.google.com/d/optout.
