Sequel is awesome. Thank you! On Thursday, May 2, 2019 at 5:29:28 PM UTC-6, Jeremy Evans wrote: > > On Thursday, May 2, 2019 at 2:54:11 PM UTC-7, Ryan Kingston wrote: >> >> I have a query like >> SELECT... >> FROM ( >> SELECT ... >> FROM :dynamic_table_name >> ) a >> >> If I call DB.fetch(sql, dyanmic_table_name: dynamic_table_name) then >> Sequel generates the following sql >> SELECT... >> FROM ( >> SELECT ... >> FROM 'dynamic_table_name' >> ) a >> >> which is a syntax error because table names aren't supposed to have >> quotes around them. >> >> Do I need to manually verify the table name is safe and insert it with >> string interpolation or does Sequel have a function that will do this for >> me? >> > > You should manually verify the table name, because using untrusted table > names is a recipe for disaster. However, if you have confirmed the table > name is trusted, you can do: > > DB.fetch(sql, dynamic_table_name: Sequel.identifier(dynamic_table_name)) > > This will use an SQL identifier instead of an SQL string. > > Thanks, > Jeremy >
-- You received this message because you are subscribed to the Google Groups "sequel-talk" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at https://groups.google.com/group/sequel-talk. For more options, visit https://groups.google.com/d/optout.
