From a2571ef312b0f15ffdda60274bc94361a4a18211 Mon Sep 17 00:00:00 2001 From: Sean Corfield Date: Sun, 11 Sep 2022 19:43:13 -0700 Subject: [PATCH] close #427 by documenting the new function --- CHANGELOG.md | 2 +- doc/getting-started.md | 2 +- doc/options.md | 11 +++++++++++ 3 files changed, 13 insertions(+), 2 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 26f36b0..0017922 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,7 +1,7 @@ # Changes * 2.3.next in progress - * Address [#427](https://github.com/seancorfield/honeysql/issues/427) by adding `set-options!` -- NEEDS DOCUMENTATION! + * Address [#427](https://github.com/seancorfield/honeysql/issues/427) by adding `set-options!`. * 2.3.928 -- 2022-09-04 * Address [#425](https://github.com/seancorfield/honeysql/issues/425) by clarifying that `INTERVAL` as special syntax may be MySQL-specific and PostgreSQL uses difference syntax (because `INTERVAL` is a data type there). diff --git a/doc/getting-started.md b/doc/getting-started.md index cc15093..50475ff 100644 --- a/doc/getting-started.md +++ b/doc/getting-started.md @@ -298,7 +298,7 @@ Most databases use `"` for quoting (the `:ansi` and `:oracle` dialects). The `:sqlserver` dialect uses `[`..`]` and the `:mysql` dialect uses ```..```. In addition, the `:oracle` dialect disables `AS` in aliases. -> Note: by default, quoting is **off** which produces cleaner-looking SQL and assumes you control all the symbols/keywords used as table, column, and function names -- the "SQL entities". If you are building any SQL or DDL where the table, column, or function names could be provided by an external source, **you should specify `:quoted true` to ensure all SQL entities are safely quoted**. As of 2.3.928, if you do _not_ specify `:quoted` as an option, HoneySQL will automatically quote any SQL entities that seem unusual, i.e., that contain any characters that are not alphanumeric or underscore. Purely alphanumeric entities will not be quoted (no entities were quoted by default prior to 2.3.928). You can prevent that auto-quoting by explicitly passing `:quoted false` into the `format` call but, from a security point of view, you should think very carefully before you do that: quoting entity names helps protect you from injection attacks! +> Note: by default, quoting is **off** which produces cleaner-looking SQL and assumes you control all the symbols/keywords used as table, column, and function names -- the "SQL entities". If you are building any SQL or DDL where the table, column, or function names could be provided by an external source, **you should specify `:quoted true` to ensure all SQL entities are safely quoted**. As of 2.3.928, if you do _not_ specify `:quoted` as an option, HoneySQL will automatically quote any SQL entities that seem unusual, i.e., that contain any characters that are not alphanumeric or underscore. Purely alphanumeric entities will not be quoted (no entities were quoted by default prior to 2.3.928). You can prevent that auto-quoting by explicitly passing `:quoted false` into the `format` call but, from a security point of view, you should think very carefully before you do that: quoting entity names helps protect you from injection attacks! As of 2.3.next, you can change the default setting of `:quoted` from `nil` to `true` (or `false`) via the `set-options!` function. Currently, the only dialect that has substantive differences from the others is `:mysql` for which the `:set` clause diff --git a/doc/options.md b/doc/options.md index 9b32809..95bae0b 100644 --- a/doc/options.md +++ b/doc/options.md @@ -24,6 +24,17 @@ All options may be omitted. The default behavior of each option is described in * `:quoted-snake` -- a Boolean indicating whether or not quoted and string SQL entity names should have `-` replaced by `_`; the default is `false` -- quoted and string SQL entity names are left exactly as-is, * `:values-default-columns` -- a sequence of column names that should have `DEFAULT` values instead of `NULL` values if used in a `VALUES` clause with no associated matching value in the hash maps passed in; the default behavior is for such missing columns to be given `NULL` values. +As of 2.3.next, you can call `set-options!` with an options hash map to change the +global defaults of certain options: + +* `:checking` -- can be `:basic` or `:strict`; specify `:none` to reset to the default, +* `:inline` -- can be `true` but consider the security issues this causes by not using parameterized SQL statements; specify `false` (or `nil`) to reset to the default, +* `:quoted` -- can be `true` or `false`; specify `nil` to reset to the default; calling `set-dialect!` or providing a `:dialect` option to `format` will override the global default, +* `:quoted-snake` -- can be `true`; specify `false` (or `nil`) to reset to the default. + +Other options may only be specified directly in calls to `format` as they are considered +per-statement, rather than global. + See below for the interaction between `:dialect` and `:quoted`. ## `:cache`