riddle 1.5.7 → 1.5.8

data/HISTORY

@@ -1,3 +1,7 @@
+1.5.8 - August 26th 2013
+- Reworked escaping to be consistent and always query-safe (Demian Ferreiro).
+- Escape column names in SphinxQL WHERE, INSERT, ORDER BY and GROUP BY clauses and statements (Jason Rust).
+
 1.5.7 - July 9th 2013
 - Respect Riddle::OutOfBoundsError instances, instead of wrapping them in ResponseError.
 - Handle boolean values for snippets options.

data/lib/riddle/query.rb

@@ -58,22 +58,21 @@ module Riddle::Query
   end
 
   def self.snippets(data, index, query, options = nil)
-    data = data.gsub("'")  { |x| "\\'" }
-    query = query.gsub("'") { |x| "\\'" }
+    data, index, query = quote(data), quote(index), quote(query)
 
     options = ', ' + options.keys.collect { |key|
       value = translate_value options[key]
-      value = "'#{value}'" if value.is_a?(String)
+      value = quote value if value.is_a?(String)
 
       "#{value} AS #{key}"
     }.join(', ') unless options.nil?
 
-    "CALL SNIPPETS('#{data}', '#{index}', '#{query}'#{options})"
+    "CALL SNIPPETS(#{data}, #{index}, #{query}#{options})"
   end
 
   def self.create_function(name, type, file)
     type = type.to_s.upcase
-    "CREATE FUNCTION #{name} RETURNS #{type} SONAME '#{file}'"
+    "CREATE FUNCTION #{name} RETURNS #{type} SONAME #{quote file}"
   end
 
   def self.drop_function(name)
@@ -100,11 +99,17 @@ module Riddle::Query
   end
 
   def self.escape(string)
-    string.gsub("\\") { |match|
-      "\\\\"
-    }.gsub(/[\(\)\|\-!@~"\/\^\$]/) { |match|
-      "\\\\#{match}"
-    }
+    string.gsub(/[\(\)\|\-!@~\/"\/\^\$\\]/) { |match| "\\#{match}" }
+  end
+
+  def self.quote(string)
+    "'#{sql_escape string}'"
+  end
+
+  def self.sql_escape(string)
+    return Mysql2::Client.escape(string) if defined?(Mysql2)
+
+    string.gsub(/['"\\]/) { |character| "\\#{character}" }
   end
 end
 

data/lib/riddle/query/insert.rb

@@ -14,7 +14,7 @@ class Riddle::Query::Insert
   end
 
   def to_sql
-    "#{command} INTO #{@index} (#{columns_to_s}) VALUES (#{values_to_s})"
+    "#{command} INTO #{@index} (`#{columns_to_s}`) VALUES (#{values_to_s})"
   end
 
   private
@@ -24,7 +24,7 @@ class Riddle::Query::Insert
   end
 
   def columns_to_s
-    columns.join(', ')
+    columns.join('`, `')
   end
 
   def values_to_s

data/lib/riddle/query/select.rb

@@ -26,7 +26,7 @@ class Riddle::Query::Select
   end
 
   def matching(match)
-    @matching = match.gsub("'") { |x| "\\'" }
+    @matching = match
     self
   end
 
@@ -83,11 +83,11 @@ class Riddle::Query::Select
   def to_sql
     sql = "SELECT #{ @values.join(', ') } FROM #{ @indices.join(', ') }"
     sql << " WHERE #{ combined_wheres }" if wheres?
-    sql << " GROUP BY #{@group_by}"      if !@group_by.nil?
+    sql << " GROUP BY #{escape_column(@group_by)}"      if !@group_by.nil?
     unless @order_within_group_by.nil?
-      sql << " WITHIN GROUP ORDER BY #{@order_within_group_by}"
+      sql << " WITHIN GROUP ORDER BY #{escape_column(@order_within_group_by)}"
     end
-    sql << " ORDER BY #{@order_by}"      if !@order_by.nil?
+    sql << " ORDER BY #{escape_column(@order_by)}"      if !@order_by.nil?
     sql << " #{limit_clause}"   unless @limit.nil? && @offset.nil?
     sql << " #{options_clause}" unless @options.empty?
 
@@ -104,9 +104,9 @@ class Riddle::Query::Select
     if @matching.nil?
       wheres_to_s
     elsif @wheres.empty? && @where_nots.empty? && @where_alls.empty? && @where_not_alls.empty?
-      "MATCH('#{@matching}')"
+      "MATCH(#{Riddle::Query.quote @matching})"
     else
-      "MATCH('#{@matching}') AND #{wheres_to_s}"
+      "MATCH(#{Riddle::Query.quote @matching}) AND #{wheres_to_s}"
     end
   end
 
@@ -134,22 +134,22 @@ class Riddle::Query::Select
   def filter_comparison_and_value(attribute, value)
     case value
     when Array
-      "#{attribute} IN (#{value.collect { |val| filter_value(val) }.join(', ')})"
+      "#{escape_column(attribute)} IN (#{value.collect { |val| filter_value(val) }.join(', ')})"
     when Range
-      "#{attribute} BETWEEN #{filter_value(value.first)} AND #{filter_value(value.last)}"
+      "#{escape_column(attribute)} BETWEEN #{filter_value(value.first)} AND #{filter_value(value.last)}"
     else
-      "#{attribute} = #{filter_value(value)}"
+      "#{escape_column(attribute)} = #{filter_value(value)}"
     end
   end
 
   def exclusive_filter_comparison_and_value(attribute, value)
     case value
     when Array
-      "#{attribute} NOT IN (#{value.collect { |val| filter_value(val) }.join(', ')})"
+      "#{escape_column(attribute)} NOT IN (#{value.collect { |val| filter_value(val) }.join(', ')})"
     when Range
-      "#{attribute} < #{filter_value(value.first)} OR #{attribute} > #{filter_value(value.last)}"
+      "#{escape_column(attribute)} < #{filter_value(value.first)} OR #{attribute} > #{filter_value(value.last)}"
     else
-      "#{attribute} <> #{filter_value(value)}"
+      "#{escape_column(attribute)} <> #{filter_value(value)}"
     end
   end
 
@@ -188,4 +188,13 @@ class Riddle::Query::Select
       value
     end
   end
+
+  def escape_column(column)
+    if column.to_s =~ /\A[`@]/
+      column
+    else
+      column_name, *extra = column.to_s.split(' ')
+      extra.unshift("`#{column_name}`").compact.join(' ')
+    end
+  end
 end

data/riddle.gemspec

@@ -3,7 +3,7 @@ $:.push File.expand_path('../lib', __FILE__)
 
 Gem::Specification.new do |s|
   s.name        = 'riddle'
-  s.version     = '1.5.7'
+  s.version     = '1.5.8'
   s.platform    = Gem::Platform::RUBY
   s.authors     = ['Pat Allan']
   s.email       = ['pat@freelancing-gods.com']

data/spec/functional/escaping_spec.rb

@@ -0,0 +1,49 @@
+require 'spec_helper'
+
+describe 'SphinxQL escaping', :live => true do
+  let(:connection) { Mysql2::Client.new :host => '127.0.0.1', :port => 9306 }
+
+  def sphinxql_matching(string)
+    select = Riddle::Query::Select.new
+    select.from 'people'
+    select.matching string
+    select.to_sql
+  end
+
+  ['@', "'", '"', '\\"', "\\'"].each do |string|
+    it "escapes #{string}" do
+      lambda {
+        connection.query sphinxql_matching(Riddle::Query.escape(string))
+      }.should_not raise_error(Mysql2::Error)
+    end
+  end
+
+  context 'on snippets' do
+    def snippets_for(text, words = '', options = nil)
+      snippets_query = Riddle::Query.snippets(text, 'people', words, options)
+      connection.query(snippets_query).first['snippet']
+    end
+
+    it 'preserves original text with special SphinxQL escape characters' do
+      text = 'email: john@example.com (yay!)'
+      snippets_for(text).should == text
+    end
+
+    it 'preserves original text with special MySQL escape characters' do
+      text = "'Dear' Susie\nAlways use {\\LaTeX}"
+      snippets_for(text).should == text
+    end
+
+    it 'escapes match delimiters with special SphinxQL escape characters' do
+      snippets = snippets_for('hello world', 'world',
+        :before_match => '()|-!', :after_match => '@~"/^$')
+      snippets.should == 'hello ()|-!world@~"/^$'
+    end
+
+    it 'escapes match delimiters with special MySQL escape characters' do
+      snippets = snippets_for('hello world', 'world',
+        :before_match => "'\"", :after_match => "\n\t\\")
+      snippets.should == "hello '\"world\n\t\\"
+    end
+  end
+end unless RUBY_PLATFORM == 'java' || Riddle.loaded_version.to_i < 2

data/spec/riddle/query/insert_spec.rb

@@ -3,23 +3,23 @@ require 'spec_helper'
 describe Riddle::Query::Insert do
   it 'handles inserts' do
     query = Riddle::Query::Insert.new('foo_core', [:id, :deleted], [4, false])
-    query.to_sql.should == 'INSERT INTO foo_core (id, deleted) VALUES (4, 0)'
+    query.to_sql.should == 'INSERT INTO foo_core (`id`, `deleted`) VALUES (4, 0)'
   end
   
   it 'handles replaces' do
     query = Riddle::Query::Insert.new('foo_core', [:id, :deleted], [4, false])
     query.replace!
-    query.to_sql.should == 'REPLACE INTO foo_core (id, deleted) VALUES (4, 0)'
+    query.to_sql.should == 'REPLACE INTO foo_core (`id`, `deleted`) VALUES (4, 0)'
   end
   
   it 'encloses strings in single quotes' do
     query = Riddle::Query::Insert.new('foo_core', [:id, :name], [4, 'bar'])
-    query.to_sql.should == "INSERT INTO foo_core (id, name) VALUES (4, 'bar')"
+    query.to_sql.should == "INSERT INTO foo_core (`id`, `name`) VALUES (4, 'bar')"
   end
   
   it 'handles inserts with more than one set of values' do
     query = Riddle::Query::Insert.new 'foo_core', [:id, :name], [[4, 'bar'], [5, 'baz']]
     query.to_sql.
-      should == "INSERT INTO foo_core (id, name) VALUES (4, 'bar'), (5, 'baz')"
+      should == "INSERT INTO foo_core (`id`, `name`) VALUES (4, 'bar'), (5, 'baz')"
   end
 end

data/spec/riddle/query/select_spec.rb

@@ -34,84 +34,99 @@ describe Riddle::Query::Select do
 
   it 'handles filters with integers' do
     query.from('foo_core').matching('foo').where(:bar_id => 10).to_sql.
-      should == "SELECT * FROM foo_core WHERE MATCH('foo') AND bar_id = 10"
+      should == "SELECT * FROM foo_core WHERE MATCH('foo') AND `bar_id` = 10"
   end
 
   it "handles exclusive filters with integers" do
     query.from('foo_core').matching('foo').where_not(:bar_id => 10).to_sql.
-      should == "SELECT * FROM foo_core WHERE MATCH('foo') AND bar_id <> 10"
+      should == "SELECT * FROM foo_core WHERE MATCH('foo') AND `bar_id` <> 10"
   end
 
   it "handles filters with true" do
     query.from('foo_core').matching('foo').where(:bar => true).to_sql.
-      should == "SELECT * FROM foo_core WHERE MATCH('foo') AND bar = 1"
+      should == "SELECT * FROM foo_core WHERE MATCH('foo') AND `bar` = 1"
   end
 
   it "handles exclusive filters with true" do
     query.from('foo_core').matching('foo').where_not(:bar => true).to_sql.
-      should == "SELECT * FROM foo_core WHERE MATCH('foo') AND bar <> 1"
+      should == "SELECT * FROM foo_core WHERE MATCH('foo') AND `bar` <> 1"
   end
 
   it "handles filters with false" do
     query.from('foo_core').matching('foo').where(:bar => false).to_sql.
-      should == "SELECT * FROM foo_core WHERE MATCH('foo') AND bar = 0"
+      should == "SELECT * FROM foo_core WHERE MATCH('foo') AND `bar` = 0"
   end
 
   it "handles exclusive filters with false" do
     query.from('foo_core').matching('foo').where_not(:bar => false).to_sql.
-      should == "SELECT * FROM foo_core WHERE MATCH('foo') AND bar <> 0"
+      should == "SELECT * FROM foo_core WHERE MATCH('foo') AND `bar` <> 0"
   end
 
   it "handles filters with arrays" do
     query.from('foo_core').matching('foo').where(:bars => [1, 2]).to_sql.
-      should == "SELECT * FROM foo_core WHERE MATCH('foo') AND bars IN (1, 2)"
+      should == "SELECT * FROM foo_core WHERE MATCH('foo') AND `bars` IN (1, 2)"
   end
 
   it "handles exclusive filters with arrays" do
     query.from('foo_core').matching('foo').where_not(:bars => [1, 2]).to_sql.
-      should == "SELECT * FROM foo_core WHERE MATCH('foo') AND bars NOT IN (1, 2)"
+      should == "SELECT * FROM foo_core WHERE MATCH('foo') AND `bars` NOT IN (1, 2)"
   end
 
   it "handles filters with timestamps" do
     time = Time.now
     query.from('foo_core').matching('foo').where(:created_at => time).to_sql.
-      should == "SELECT * FROM foo_core WHERE MATCH('foo') AND created_at = #{time.to_i}"
+      should == "SELECT * FROM foo_core WHERE MATCH('foo') AND `created_at` = #{time.to_i}"
   end
 
   it "handles exclusive filters with timestamps" do
     time = Time.now
     query.from('foo_core').matching('foo').where_not(:created_at => time).
-      to_sql.should == "SELECT * FROM foo_core WHERE MATCH('foo') AND created_at <> #{time.to_i}"
+      to_sql.should == "SELECT * FROM foo_core WHERE MATCH('foo') AND `created_at` <> #{time.to_i}"
   end
 
   it "handles filters with ranges" do
     query.from('foo_core').matching('foo').where(:bar => 1..5).to_sql.
-      should == "SELECT * FROM foo_core WHERE MATCH('foo') AND bar BETWEEN 1 AND 5"
+      should == "SELECT * FROM foo_core WHERE MATCH('foo') AND `bar` BETWEEN 1 AND 5"
   end
 
   it "handles filters expecting matches on all values" do
     query.from('foo_core').where_all(:bars => [1, 2]).to_sql.
-      should == "SELECT * FROM foo_core WHERE bars = 1 AND bars = 2"
+      should == "SELECT * FROM foo_core WHERE `bars` = 1 AND `bars` = 2"
   end
 
   it "handles exclusive filters expecting matches on none of the values" do
     query.from('foo_core').where_not_all(:bars => [1, 2]).to_sql.
-      should == "SELECT * FROM foo_core WHERE (bars <> 1 OR bars <> 2)"
+      should == "SELECT * FROM foo_core WHERE (`bars` <> 1 OR `bars` <> 2)"
   end
 
   it 'handles grouping' do
     query.from('foo_core').group_by('bar_id').to_sql.
-      should == "SELECT * FROM foo_core GROUP BY bar_id"
+      should == "SELECT * FROM foo_core GROUP BY `bar_id`"
   end
 
   it 'handles ordering' do
     query.from('foo_core').order_by('bar_id ASC').to_sql.
-      should == 'SELECT * FROM foo_core ORDER BY bar_id ASC'
+      should == 'SELECT * FROM foo_core ORDER BY `bar_id` ASC'
+  end
+
+  it 'handles ordering when an already escaped column is passed in' do
+    query.from('foo_core').order_by('`bar_id` ASC').to_sql.
+      should == 'SELECT * FROM foo_core ORDER BY `bar_id` ASC'
+  end
+
+  it 'handles ordering when just a symbol is passed in' do
+    query.from('foo_core').order_by(:bar_id).to_sql.
+      should == 'SELECT * FROM foo_core ORDER BY `bar_id`'
+  end
+
+  it 'handles ordering when a computed sphinx variable is passed in' do
+    query.from('foo_core').order_by('@weight DESC').to_sql.
+      should == 'SELECT * FROM foo_core ORDER BY @weight DESC'
   end
 
   it 'handles group ordering' do
     query.from('foo_core').order_within_group_by('bar_id ASC').to_sql.
-      should == 'SELECT * FROM foo_core WITHIN GROUP ORDER BY bar_id ASC'
+      should == 'SELECT * FROM foo_core WITHIN GROUP ORDER BY `bar_id` ASC'
   end
 
   it 'handles a limit' do

data/spec/riddle/query_spec.rb

@@ -78,14 +78,10 @@ describe Riddle::Query do
   end
 
   describe '.escape' do
-    %w(( ) | - ! @ ~ " / ^ $).each do |reserved|
+    %w(( ) | - ! @ ~ / ^ $ ").each do |reserved|
       it "escapes #{reserved}" do
-        Riddle::Query.escape(reserved).should == "\\\\#{reserved}"
+        Riddle::Query.escape(reserved).should == "\\#{reserved}"
       end
     end
-
-    it "escapes \\" do
-      Riddle::Query.escape("\\").should == "\\\\"
-    end
   end
 end

metadata

@@ -1,13 +1,13 @@
 --- !ruby/object:Gem::Specification 
 name: riddle
 version: !ruby/object:Gem::Version 
-  hash: 13
+  hash: 19
   prerelease: 
   segments: 
   - 1
   - 5
-  - 7
-  version: 1.5.7
+  - 8
+  version: 1.5.8
 platform: ruby
 authors: 
 - Pat Allan
@@ -15,7 +15,7 @@ autorequire:
 bindir: bin
 cert_chain: []
 
-date: 2013-07-09 00:00:00 +10:00
+date: 2013-08-26 00:00:00 +10:00
 default_executable: 
 dependencies: 
 - !ruby/object:Gem::Dependency 
@@ -244,6 +244,7 @@ files:
 - spec/fixtures/sql/data.tsv
 - spec/fixtures/sql/structure.sql
 - spec/functional/connection_spec.rb
+- spec/functional/escaping_spec.rb
 - spec/functional/excerpt_spec.rb
 - spec/functional/keywords_spec.rb
 - spec/functional/persistance_spec.rb
@@ -437,6 +438,7 @@ test_files:
 - spec/fixtures/sql/data.tsv
 - spec/fixtures/sql/structure.sql
 - spec/functional/connection_spec.rb
+- spec/functional/escaping_spec.rb
 - spec/functional/excerpt_spec.rb
 - spec/functional/keywords_spec.rb
 - spec/functional/persistance_spec.rb