From acb5112f03eddf2ad6d4a6b5af672e8c323cfb8e Mon Sep 17 00:00:00 2001 From: Sean Corfield Date: Sat, 21 Sep 2024 18:13:29 -0700 Subject: [PATCH] another strop cleanup #539 Signed-off-by: Sean Corfield --- doc/getting-started.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/doc/getting-started.md b/doc/getting-started.md index 9d156ce..a82285a 100644 --- a/doc/getting-started.md +++ b/doc/getting-started.md @@ -354,7 +354,7 @@ The most visible difference between dialects is how SQL entities should be quoted (if the `:quoted true` option is provided to `format`). Most databases use `"` for quoting (the `:ansi` and `:oracle` dialects). The `:sqlserver` dialect uses `[`..`]` and the `:mysql` dialect uses -```` .. ````. In addition, the `:oracle` dialect disables `AS` in aliases. +`\`` .. `\``. In addition, the `:oracle` dialect disables `AS` in aliases. > Note: by default, quoting is **off** which produces cleaner-looking SQL and assumes you control all the symbols/keywords used as table, column, and function names -- the "SQL entities". If you are building any SQL or DDL where the table, column, or function names could be provided by an external source, **you should specify `:quoted true` to ensure all SQL entities are safely quoted**. As of 2.3.928, if you do _not_ specify `:quoted` as an option, HoneySQL will automatically quote any SQL entities that seem unusual, i.e., that contain any characters that are not alphanumeric or underscore. Purely alphanumeric entities will not be quoted (no entities were quoted by default prior to 2.3.928). You can prevent that auto-quoting by explicitly passing `:quoted false` into the `format` call but, from a security point of view, you should think very carefully before you do that: quoting entity names helps protect you from injection attacks! As of 2.4.947, you can change the default setting of `:quoted` from `nil` to `true` (or `false`) via the `set-options!` function.