From c94b35af7c91bf66d717ce828c6ecf9a3886d289 Mon Sep 17 00:00:00 2001 From: lovasoa Date: Fri, 13 Sep 2024 11:40:47 +0200 Subject: [PATCH] remove support for `set $variable` (use `set variable` instead). --- CHANGELOG.md | 9 +++--- examples/CRUD - Authentication/README.md | 28 +++++++++---------- examples/CRUD - Authentication/www/README.md | 28 +++++++++---------- .../www/currencies_item_dml.sql | 16 +++++------ .../www/currencies_item_form.sql | 22 +++++++-------- .../www/currencies_list.sql | 8 +++--- .../www/header_shell_session.sql | 16 +++++------ examples/CRUD - Authentication/www/intro.sql | 4 +-- examples/CRUD - Authentication/www/login.sql | 2 +- .../www/menu_test/dummy_menu.sql | 10 +++---- .../www/menu_test/menu_code.sql | 8 +++--- .../official-site/component_not_found.sql | 2 +- .../examples/authentication/index.sql | 2 +- .../examples/handle_picture_upload.sql | 2 +- .../sqlpage/migrations/01_documentation.sql | 2 +- .../your-first-sql-website/tutorial.md | 2 +- examples/single sign on/cas/index.sql | 2 +- .../single sign on/cas/redirect_handler.sql | 4 +-- examples/single sign on/index.sql | 2 +- examples/single sign on/login.sql | 2 +- .../single sign on/oidc_redirect_handler.sql | 8 +++--- src/webserver/database/sql.rs | 2 +- 22 files changed, 91 insertions(+), 90 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 79d5d0ba..b0e85bd0 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -7,6 +7,7 @@ - New `navbar_title` property in the [shell](https://sql.datapage.app/documentation.sql?component=shell#component) component to set the title of the top navigation bar. This allows to display a different title in the top menu than the one that appears in the tab of the browser. This can also be set to the empty string to hide the title in the top menu, in case you want to display only a logo for instance. - Fixed: The `font` property in the [shell](https://sql.datapage.app/documentation.sql?component=shell#component) component was mistakingly not applied since v0.28.0. It works again. - Updated SQL parser to [v0.51.0](https://github.com/sqlparser-rs/sqlparser-rs/blob/main/CHANGELOG.md#0510-2024-09-11). Improved `INTERVAL` parsing. + - **Important note**: this version removes support for the `SET $variable = ...` syntax in SQLite. This worked only with some databases. You should replace all occurrences of this syntax with `SET variable = ...` (without the `$` prefix). ## 0.28.0 (2024-08-31) - Chart component: fix the labels of pie charts displaying too many decimal places. @@ -192,7 +193,7 @@ select - reuse the existing opened database connection for the current query in `sqlpage.run_sql` instead of opening a new one. This makes it possible to create a temporary table in a file, and reuse it in an included script, create a SQL transaction that spans over multiple run_sql calls, and should generally make run_sql more performant. - Fixed a bug in the cookie component where removing a cookie from a subdirectory would not work. - [Updated SQL parser](https://github.com/sqlparser-rs/sqlparser-rs/blob/main/CHANGELOG.md#0470-2024-06-01). Fixes support for `AT TIME ZONE` in postgres. Fixes `GROUP_CONCAT()` in MySQL. -- Add a new warning message in the logs when trying to use `SET $x = ` when there is already a form field named `x`. +- Add a new warning message in the logs when trying to use `set x = ` when there is already a form field named `x`. - **Empty Uploaded files**: when a form contains an optional file upload field, and the user does not upload a file, the field used to still be accessible to SQLPage file-related functions such as `sqlpage.uploaded_file_path` and `sqlpage.uploaded_file_mime_type`. This is now fixed, and these functions will return `NULL` when the user does not upload a file. `sqlpage.persist_uploaded_file` will not create an empty file in the target directory when the user does not upload a file, instead it will do nothing and return `NULL`. - In the [map](https://sql.datapage.app/documentation.sql?component=map#component) component, when top-level latitude and longitude properties are omitted, the map will now center on its markers. This makes it easier to create zoomed maps with a single marker. - In the [button](https://sql.datapage.app/documentation.sql?component=button#component) component, add a `download` property to make the button download a file when clicked, a `target` property to open the link in a new tab, and a `rel` property to prevent search engines from following the link. @@ -202,9 +203,9 @@ select ## 0.22.0 (2024-05-29) -- **Important Security Fix:** The behavior of `SET $x` has been modified to match `SELECT $x`. - - **Security Risk:** Previously, `SET $x` could be overwritten by a POST parameter named `x`. - - **Solution:** Upgrade to SQLPage v0.22. If not possible, then update your application to use `SET :x` instead of `SET $x`. +- **Important Security Fix:** The behavior of `set x` has been modified to match `SELECT $x`. + - **Security Risk:** Previously, `set x` could be overwritten by a POST parameter named `x`. + - **Solution:** Upgrade to SQLPage v0.22. If not possible, then update your application to use `SET :x` instead of `set x`. - For more information, see [GitHub Issue #342](https://github.com/lovasoa/SQLpage/issues/342). - **Deprecation Notice:** Reading POST variables using `$x`. - **New Standard:** Use `:x` for POST variables and `$x` for GET variables. diff --git a/examples/CRUD - Authentication/README.md b/examples/CRUD - Authentication/README.md index ba752063..7b056315 100644 --- a/examples/CRUD - Authentication/README.md +++ b/examples/CRUD - Authentication/README.md @@ -10,14 +10,14 @@ Three files (login.sql, logout.sql, and create_session.sql) implement authentica 2. Session checking code snippet at the top of the protected page checks if a valid session token (cookie) is set. In this example, the SET statement sets a local variable, `$_username`, for later use: ```sql -- Checks if a valid session token cookie is available -SET $_username = ( +set _username = ( SELECT username FROM sessions WHERE sqlpage.cookie('session_token') = id AND created_at > datetime('now', '-1 day') ); ``` -3. Redirect to login page (login.sql) if no session is available (`$_username IS NULL`) and the starting page requires authentication (by setting `SET $_session_required = 1;` before executing the session checking code; see, e.g., the top of currencies_item_form.sql and currencies_list.sql): +3. Redirect to login page (login.sql) if no session is available (`$_username IS NULL`) and the starting page requires authentication (by setting `set _session_required = 1;` before executing the session checking code; see, e.g., the top of currencies_item_form.sql and currencies_list.sql): ```sql SELECT 'redirect' AS component, @@ -34,8 +34,8 @@ WHERE $_username IS NULL AND $_session_required; Because the same code is used for session token check for all protected pages, it makes sense to place it in a separate module (header_shell_session.sql) and execute it via run_sql() at the top of protected files: ```sql -SET $_curpath = sqlpage.path(); -SET $_session_required = 1; +set _curpath = sqlpage.path(); +set _session_required = 1; SELECT 'dynamic' AS component, @@ -104,9 +104,9 @@ The `$_shell_enabled` variable controls the execution of the custom shell compon The header modules expects that the calling module sets several variables. The SET statement makes it possible to check if the variables are set appropriately in one place at the beginning of the module, rather then placing guards every time theses variables are used. Hence, the top section of the header file includes ```sql -SET $_curpath = ifnull($_curpath, '/'); -SET $_session_required = ifnull($_session_required, 1); -SET $_shell_enabled = ifnull($_shell_enabled, 1); +set _curpath = ifnull($_curpath, '/'); +set _session_required = ifnull($_session_required, 1); +set _shell_enabled = ifnull($_shell_enabled, 1); ``` In this case, if any required variable is not set, a suitable default value is defined, so that the following code would not have to check for NULL values. Alternatively, a redirect to an error page may be used, to inform the programmer about the potential issue. @@ -142,8 +142,8 @@ All three module load the footer module discussed above that produces a conditio All three modules provide access to the database and are treated as protected: they are only accessible to authenticated users. Hence, they start with (mostly) the same code block: ```sql -SET $_curpath = sqlpage.path(); -SET $_session_required = 1; +set _curpath = sqlpage.path(); +set _session_required = 1; SELECT 'dynamic' AS component, @@ -178,7 +178,7 @@ SELECT $_curpath AS link WHERE $id = '' OR CAST($id AS INT) = 0; -SET $error_msg = sqlpage.url_encode('Bad {id = ' || $id || '} provided'); +set error_msg = sqlpage.url_encode('Bad {id = ' || $id || '} provided'); SELECT 'redirect' AS component, $_curpath || '?error=' || $error_msg AS link @@ -190,7 +190,7 @@ The blank string and zero are considered the equivalents of NULL, so redirect to Another accepted GET URL parameter is $values, which may be set to a JSON representation of the record. This parameter is returned from the currencies_item_dml.sql script if the database operation fails. Then the detail view will display an error message, but the form will remain populated with the user-submitted data. If $values is set, it takes precedence. This check throws an error if $values is set, but does not represent a valid JSON. ```sql -SET $_err_msg = +set _err_msg = sqlpage.url_encode('Values is set to bad JSON: __ ') || $values || ' __'; SELECT @@ -201,7 +201,7 @@ WHERE NOT json_valid($values); The detail view maybe called with zero, one, or two (\$id/\$values) parameters. Invalid values are filtered out at this point, so the next step is to check provided parameters and determine the dataset that should go into the form. ```sql -SET $_values = ( +set _values = ( WITH fields AS ( SELECT id, name, to_rub @@ -253,7 +253,7 @@ WHERE NOT ifnull($action = 'DELETE', FALSE); The following section defines the main form with record fields. First the $\_valid_ids variable is constructed as the source for the drop-down id field. The code also adds the NULL value used for defining a new record. Note that, when this form is opened from the table view via the "New Record" button, the $action variable is set to "INSERT" and the id field is set to the empty array in the first assignment via the alternative UINION and to the single NULL in the second assignment. The two queries can also be combined relatively straightforwardly using CTEs. ```sql -SET $_valid_ids = ( +set _valid_ids = ( SELECT json_group_array( json_object('label', CAST(id AS TEXT), 'value', id) ORDER BY id ) @@ -263,7 +263,7 @@ SET $_valid_ids = ( SELECT '[]' WHERE $action = 'INSERT' ); -SET $_valid_ids = ( +set _valid_ids = ( json_insert($_valid_ids, '$[#]', json_object('label', 'NULL', 'value', json('null')) ) diff --git a/examples/CRUD - Authentication/www/README.md b/examples/CRUD - Authentication/www/README.md index 01626831..5b5919f8 100644 --- a/examples/CRUD - Authentication/www/README.md +++ b/examples/CRUD - Authentication/www/README.md @@ -10,14 +10,14 @@ Three files (login.sql, logout.sql, and create_session.sql) implement authentica 2. Session checking code snippet at the top of the protected page checks if a valid session token (cookie) is set. In this example, the SET statement sets a local variable, `$_username`, for later use: ```sql -- Checks if a valid session token cookie is available -SET $_username = ( +set _username = ( SELECT username FROM sessions WHERE sqlpage.cookie('session_token') = id AND created_at > datetime('now', '-1 day') ); ``` -3. Redirect to login page (login.sql) if no session is available (`$_username IS NULL`) and the starting page requires authentication (by setting `SET $_session_required = 1;` before executing the session checking code; see, e.g., the top of currencies_item_form.sql and currencies_list.sql): +3. Redirect to login page (login.sql) if no session is available (`$_username IS NULL`) and the starting page requires authentication (by setting `set _session_required = 1;` before executing the session checking code; see, e.g., the top of currencies_item_form.sql and currencies_list.sql): ```sql SELECT 'redirect' AS component, @@ -34,8 +34,8 @@ WHERE $_username IS NULL AND $_session_required; Because the same code is used for session token check for all protected pages, it makes sense to place it in a separate module (header_shell_session.sql) and execute it via run_sql() at the top of protected files: ```sql -SET $_curpath = sqlpage.path(); -SET $_session_required = 1; +set _curpath = sqlpage.path(); +set _session_required = 1; SELECT 'dynamic' AS component, @@ -104,9 +104,9 @@ The `$_shell_enabled` variable controls the execution of the custom shell compon The header modules expects that the calling module sets several variables. The SET statement makes it possible to check if the variables are set appropriately in one place at the beginning of the module, rather then placing guards every time theses variables are used. Hence, the top section of the header file includes ```sql -SET $_curpath = ifnull($_curpath, '/'); -SET $_session_required = ifnull($_session_required, 1); -SET $_shell_enabled = ifnull($_shell_enabled, 1); +set _curpath = ifnull($_curpath, '/'); +set _session_required = ifnull($_session_required, 1); +set _shell_enabled = ifnull($_shell_enabled, 1); ``` In this case, if any required variable is not set, a suitable default value is defined, so that the following code would not have to check for NULL values. Alternatively, a redirect to an error page may be used, to inform the programmer about the potential issue. @@ -142,8 +142,8 @@ All three module load the footer module discussed above that produces a conditio All three modules provide access to the database and are treated as protected: they are only accessible to authenticated users. Hence, they start with (mostly) the same code block: ```sql -SET $_curpath = sqlpage.path(); -SET $_session_required = 1; +set _curpath = sqlpage.path(); +set _session_required = 1; SELECT 'dynamic' AS component, @@ -178,7 +178,7 @@ SELECT $_curpath AS link WHERE $id = '' OR CAST($id AS INT) = 0; -SET $error_msg = sqlpage.url_encode('Bad {id = ' || $id || '} provided'); +set error_msg = sqlpage.url_encode('Bad {id = ' || $id || '} provided'); SELECT 'redirect' AS component, $_curpath || '?error=' || $error_msg AS link @@ -190,7 +190,7 @@ The blank string and zero are considered the equivalents of NULL, so redirect to Another accepted GET URL parameter is $values, which may be set to a JSON representation of the record. This parameter is returned from the currencies_item_dml.sql script if the database operation fails. Then the detail view will display an error message, but the form will remain populated with the user-submitted data. If $values is set, it takes precedence. This check throws an error if $values is set, but does not represent a valid JSON. ```sql -SET $_err_msg = +set _err_msg = sqlpage.url_encode('Values is set to bad JSON: __ ') || $values || ' __'; SELECT @@ -201,7 +201,7 @@ WHERE NOT json_valid($values); The detail view maybe called with zero, one, or two (\$id/\$values) parameters. Invalid values are filtered out at this point, so the next step is to check provided parameters and determine the dataset that should go into the form. ```sql -SET $_values = ( +set _values = ( WITH fields AS ( SELECT id, name, to_rub @@ -253,7 +253,7 @@ WHERE NOT ifnull($action = 'DELETE', FALSE); The following section defines the main form with record fields. First the $\_valid_ids variable is constructed as the source for the drop-down id field. The code also adds the NULL value used for defining a new record. Note that, when this form is opened from the table view via the "New Record" button, the $action variable is set to "INSERT" and the id field is set to the empty array in the first assignment via the alternative UINION and to the single NULL in the second assignment. The two queries can also be combined relatively straightforwardly using CTEs. ```sql -SET $_valid_ids = ( +set _valid_ids = ( SELECT json_group_array( json_object('label', CAST(id AS TEXT), 'value', id) ORDER BY id ) @@ -263,7 +263,7 @@ SET $_valid_ids = ( SELECT '[]' WHERE $action = 'INSERT' ); -SET $_valid_ids = ( +set _valid_ids = ( json_insert($_valid_ids, '$[#]', json_object('label', 'NULL', 'value', json('null')) ) diff --git a/examples/CRUD - Authentication/www/currencies_item_dml.sql b/examples/CRUD - Authentication/www/currencies_item_dml.sql index 3be29235..9f6f189b 100644 --- a/examples/CRUD - Authentication/www/currencies_item_dml.sql +++ b/examples/CRUD - Authentication/www/currencies_item_dml.sql @@ -7,8 +7,8 @@ -- $_curpath and $_session_required are required for header_shell_session.sql. -SET $_session_required = 1; -SET $_shell_enabled = 0; +set _session_required = 1; +set _shell_enabled = 0; SELECT 'dynamic' AS component, @@ -18,7 +18,7 @@ SELECT -- Redirect target must be passed as $path -- ============================================================================= -SET $_err_msg = '&path URL GET parameter (redirect target) is not set!'; +set _err_msg = '&path URL GET parameter (redirect target) is not set!'; SELECT 'alert' AS component, @@ -46,18 +46,18 @@ WHERE -- For new records, the id (INTEGER PRIMARY KEY AUTOINCREMENT) should be set to NULL. -- The id field is set as hidden in the record edit form and passed as the :id POST -- variable. NULL, however, cannot be passed as such and is converted to blank string. --- Check :id for '' and SET $id (:id will return the same value). +-- Check :id for '' and set id (:id will return the same value). -SET $_id = iif(typeof(:id) = 'text' AND :id = '', NULL, :id); +set _id = iif(typeof(:id) = 'text' AND :id = '', NULL, :id); -SET $_values = json_object( +set _values = json_object( 'id', CAST($_id AS INT), 'name', :name, 'to_rub', CAST(:to_rub AS NUMERIC) ); -SET $_op = iif($_id IS NULL, 'INSERT', 'UPDATE'); -SET $_err_msg = sqlpage.url_encode('New currency already in the database'); +set _op = iif($_id IS NULL, 'INSERT', 'UPDATE'); +set _err_msg = sqlpage.url_encode('New currency already in the database'); SELECT 'redirect' AS component, diff --git a/examples/CRUD - Authentication/www/currencies_item_form.sql b/examples/CRUD - Authentication/www/currencies_item_form.sql index 6eaf8f5f..435332c8 100644 --- a/examples/CRUD - Authentication/www/currencies_item_form.sql +++ b/examples/CRUD - Authentication/www/currencies_item_form.sql @@ -8,8 +8,8 @@ -- $_curpath and $_session_required are required for header_shell_session.sql. -SET $_curpath = sqlpage.path(); -SET $_session_required = 1; +set _curpath = sqlpage.path(); +set _session_required = 1; SELECT 'dynamic' AS component, @@ -19,9 +19,9 @@ SELECT -- =============================== Module vars ================================= -- ============================================================================= -SET $_getpath = '?path=' || ifnull($path, $_curpath); -SET $_action_target = 'currencies_item_dml.sql' || $_getpath; -SET $_table_list = 'currencies_list.sql'; +set _getpath = '?path=' || ifnull($path, $_curpath); +set _action_target = 'currencies_item_dml.sql' || $_getpath; +set _table_list = 'currencies_list.sql'; -- ============================================================================= -- ========================== Filter invalid $id =============================== @@ -36,7 +36,7 @@ WHERE $id = '' OR CAST($id AS INT) = 0; -- If $id is set, it must be a valid PKEY value. -SET $error_msg = sqlpage.url_encode('Bad {id = ' || $id || '} provided'); +set error_msg = sqlpage.url_encode('Bad {id = ' || $id || '} provided'); SELECT 'redirect' AS component, @@ -52,7 +52,7 @@ WHERE $id NOT IN (SELECT currencies.id FROM currencies); -- -- If $values is provided, it must contain a valid JSON. -SET $_err_msg = +set _err_msg = sqlpage.url_encode('Values is set to bad JSON: __ ') || $values || ' __'; SELECT @@ -70,9 +70,9 @@ WHERE NOT json_valid($values); -- Field values may be provided via the $values GET variable formatted as JSON -- object. If $values contains a valid JSON, use it to populate the form. -- Otherwise, if $id is set to a valid value, retrieve the record from the --- database and set $values. If not, set $values to all NULLs. +-- database and set values. If not, set values to all NULLs. -SET $_values = ( +set _values = ( WITH fields AS ( -- If valid "id" is supplied as a GET variable, retrieve the record and @@ -136,7 +136,7 @@ WHERE NOT ifnull($action = 'DELETE', FALSE); -- passed back as POST variables, and the code above sets the $_values variable -- for proper initialization of the reloaded form. -SET $_valid_ids = ( +set _valid_ids = ( SELECT json_group_array( json_object('label', CAST(id AS TEXT), 'value', id) ORDER BY id ) @@ -146,7 +146,7 @@ SET $_valid_ids = ( SELECT '[]' WHERE $action = 'INSERT' ); -SET $_valid_ids = ( +set _valid_ids = ( json_insert($_valid_ids, '$[#]', json_object('label', 'NULL', 'value', json('null')) ) diff --git a/examples/CRUD - Authentication/www/currencies_list.sql b/examples/CRUD - Authentication/www/currencies_list.sql index 8b57841a..12839e11 100644 --- a/examples/CRUD - Authentication/www/currencies_list.sql +++ b/examples/CRUD - Authentication/www/currencies_list.sql @@ -5,8 +5,8 @@ -- $_curpath and $_session_required are required for header_shell_session.sql. -SET $_curpath = sqlpage.path(); -SET $_session_required = 1; +set _curpath = sqlpage.path(); +set _session_required = 1; SELECT 'dynamic' AS component, @@ -16,8 +16,8 @@ SELECT -- =============================== Module vars ================================= -- ============================================================================= -SET $_getpath = '&path=' || $_curpath; -SET $_item_form = 'currencies_item_form.sql'; +set _getpath = '&path=' || $_curpath; +set _item_form = 'currencies_item_form.sql'; -- ============================================================================= -- ======================== Display confirmation =============================== diff --git a/examples/CRUD - Authentication/www/header_shell_session.sql b/examples/CRUD - Authentication/www/header_shell_session.sql index 2a8c1d2f..8628d89b 100644 --- a/examples/CRUD - Authentication/www/header_shell_session.sql +++ b/examples/CRUD - Authentication/www/header_shell_session.sql @@ -21,9 +21,9 @@ -- at the top of the page script, but AFTER setting the required variables -- -- ```sql --- SET $_curpath = sqlpage.path(); --- SET $_session_required = 1; --- SET $_shell_enabled = 1; +-- set _curpath = sqlpage.path(); +-- set _session_required = 1; +-- set _shell_enabled = 1; -- ``` -- -- ## Reuired SET Variables @@ -49,9 +49,9 @@ -- Set default values (for now) for required variables. -- Probably should instead show appropriate error messages and abort rendering. -SET $_curpath = ifnull($_curpath, '/'); -SET $_session_required = ifnull($_session_required, 1); -SET $_shell_enabled = ifnull($_shell_enabled, 1); +set _curpath = ifnull($_curpath, '/'); +set _session_required = ifnull($_session_required, 1); +set _shell_enabled = ifnull($_shell_enabled, 1); -- ============================================================================= -- ========================= Check active session ============================== @@ -60,7 +60,7 @@ SET $_shell_enabled = ifnull($_shell_enabled, 1); -- Check if session is available. -- Require the user to log in again after 1 day -SET $_username = ( +set _username = ( SELECT username FROM sessions WHERE sqlpage.cookie('session_token') = id @@ -69,7 +69,7 @@ SET $_username = ( -- Redirect to the login page if the user is not logged in. -- Unprotected pages must --- SET $_session_required = (SELECT FALSE); +-- set _session_required = (SELECT FALSE); -- before running this script SELECT diff --git a/examples/CRUD - Authentication/www/intro.sql b/examples/CRUD - Authentication/www/intro.sql index bcb5857c..eb9219a4 100644 --- a/examples/CRUD - Authentication/www/intro.sql +++ b/examples/CRUD - Authentication/www/intro.sql @@ -5,8 +5,8 @@ -- $_curpath and $_session_required are required for header_shell_session.sql. -SET $_curpath = sqlpage.path(); -SET $_session_required = 0; +set _curpath = sqlpage.path(); +set _session_required = 0; SELECT 'dynamic' AS component, diff --git a/examples/CRUD - Authentication/www/login.sql b/examples/CRUD - Authentication/www/login.sql index 2b9a6a3b..f7259316 100644 --- a/examples/CRUD - Authentication/www/login.sql +++ b/examples/CRUD - Authentication/www/login.sql @@ -1,6 +1,6 @@ -- Authentication Fence -SET $username = ( +set username = ( SELECT username FROM sessions WHERE sqlpage.cookie('session_token') = id diff --git a/examples/CRUD - Authentication/www/menu_test/dummy_menu.sql b/examples/CRUD - Authentication/www/menu_test/dummy_menu.sql index 97c13fdb..2ce87ff7 100644 --- a/examples/CRUD - Authentication/www/menu_test/dummy_menu.sql +++ b/examples/CRUD - Authentication/www/menu_test/dummy_menu.sql @@ -1,4 +1,4 @@ -SET $_get_vars = ( +set _get_vars = ( SELECT json_group_object( "key", @@ -10,10 +10,10 @@ SET $_get_vars = ( ); -SET $_locale_code = $lang; -- 'en', 'ru', 'de', 'fr', 'zh-cn' -SET $_theme = 'fancy'; --$theme; -- 'default', 'fancy' -SET $_hide_language_names = $hide_language_names; -- 0, 1 (BOOLEAN) -SET $_authenticated = $authenticated; -- 0, 1 (BOOLEAN) +set _locale_code = $lang; -- 'en', 'ru', 'de', 'fr', 'zh-cn' +set _theme = 'fancy'; --$theme; -- 'default', 'fancy' +set _hide_language_names = $hide_language_names; -- 0, 1 (BOOLEAN) +set _authenticated = $authenticated; -- 0, 1 (BOOLEAN) -- ============================================================================= -- ============================================================================= diff --git a/examples/CRUD - Authentication/www/menu_test/menu_code.sql b/examples/CRUD - Authentication/www/menu_test/menu_code.sql index a843a031..4d7d8f70 100644 --- a/examples/CRUD - Authentication/www/menu_test/menu_code.sql +++ b/examples/CRUD - Authentication/www/menu_test/menu_code.sql @@ -1,7 +1,7 @@ --- SET $_locale_code = $lang; -- 'en', 'ru', 'de', 'fr', 'zh-cn' --- SET $_theme = $theme; -- 'default', 'fancy' --- SET $_hide_language_names = $hide_language_names; -- 0, 1 (BOOLEAN) --- SET $_authenticated = $authenticated; -- 0, 1 (BOOLEAN) +-- set _locale_code = $lang; -- 'en', 'ru', 'de', 'fr', 'zh-cn' +-- set _theme = $theme; -- 'default', 'fancy' +-- set _hide_language_names = $hide_language_names; -- 0, 1 (BOOLEAN) +-- set _authenticated = $authenticated; -- 0, 1 (BOOLEAN) -- ============================================================================= -- ============================================================================= diff --git a/examples/official-site/component_not_found.sql b/examples/official-site/component_not_found.sql index d52297b6..61507a77 100644 --- a/examples/official-site/component_not_found.sql +++ b/examples/official-site/component_not_found.sql @@ -9,7 +9,7 @@ select 'Back to the documentation' as link_text; -- Friendly message after an XSS or SQL injection attempt -set $attack = CASE WHEN +set attack = CASE WHEN $component LIKE '%<%' or $component LIKE '%>%' or $component LIKE '%/%' or $component LIKE '%;%' or $component LIKE '%--%' or $component LIKE '%''%' or $component LIKE '%(%' THEN 'attacked' END; diff --git a/examples/official-site/examples/authentication/index.sql b/examples/official-site/examples/authentication/index.sql index ce323484..c3cc4467 100644 --- a/examples/official-site/examples/authentication/index.sql +++ b/examples/official-site/examples/authentication/index.sql @@ -1,6 +1,6 @@ -- redirect the user to the login page if they are not logged in -- this query should be present at the top of every page that requires authentication -set $role = (select role from users natural join user_sessions where session_token = sqlpage.cookie('session_token')); +set role = (select role from users natural join user_sessions where session_token = sqlpage.cookie('session_token')); select 'redirect' as component, 'login.sql' as link where $role is null; select 'dynamic' as component, diff --git a/examples/official-site/examples/handle_picture_upload.sql b/examples/official-site/examples/handle_picture_upload.sql index 66700335..54d2b645 100644 --- a/examples/official-site/examples/handle_picture_upload.sql +++ b/examples/official-site/examples/handle_picture_upload.sql @@ -2,7 +2,7 @@ select 'dynamic' as component, properties FROM example WHERE component = 'shell' select 'title' as component, 'SQLPage Image Upload Demo' as contents; -set $data_url = sqlpage.read_file_as_data_url(sqlpage.uploaded_file_path('my_file')); +set data_url = sqlpage.read_file_as_data_url(sqlpage.uploaded_file_path('my_file')); select 'card' as component, 1 as columns where $data_url is not null; select 'Your picture' as title, diff --git a/examples/official-site/sqlpage/migrations/01_documentation.sql b/examples/official-site/sqlpage/migrations/01_documentation.sql index 31a225c6..bb29ad81 100644 --- a/examples/official-site/sqlpage/migrations/01_documentation.sql +++ b/examples/official-site/sqlpage/migrations/01_documentation.sql @@ -1075,7 +1075,7 @@ a "Profile" menu item only to authenticated users, and a "Login" menu item only to unauthenticated users: ```sql -SET $role = ( +set role = ( SELECT role FROM users INNER JOIN sessions ON users.id = sessions.user_id WHERE sessions.session_id = sqlpage.cookie(''session_id'') diff --git a/examples/official-site/your-first-sql-website/tutorial.md b/examples/official-site/your-first-sql-website/tutorial.md index 5e33afb1..6758279e 100644 --- a/examples/official-site/your-first-sql-website/tutorial.md +++ b/examples/official-site/your-first-sql-website/tutorial.md @@ -131,7 +131,7 @@ There are two types of parameters you can use in your SQL queries: > Note: Currently, if a `$parameter` is not present in the URL, it is first looked for in the form parameters. If it is not found there either, it is set to `NULL`. Please do not rely on this behavior, as it may change in the future. -You can also set $parameters yourself at any point in your SQL files in order to reuse +You can also set parameters yourself at any point in your SQL files in order to reuse their value in several places, using the `SET ParameterName = value` syntax. For instance, we could use the following code to save the username in uppercase: diff --git a/examples/single sign on/cas/index.sql b/examples/single sign on/cas/index.sql index 0db0b8b1..6963abf2 100644 --- a/examples/single sign on/cas/index.sql +++ b/examples/single sign on/cas/index.sql @@ -1,4 +1,4 @@ -set $user_email = (select email from user_sessions where session_id = sqlpage.cookie('session_id')); +set user_email = (select email from user_sessions where session_id = sqlpage.cookie('session_id')); select 'text' as component, 'You are not authenticated. [Log in](login.sql).' as contents_md where $user_email is null; select 'text' as component, 'Welcome, ' || $user_email || '. You can now [log out](logout.sql).' as contents_md where $user_email is not null; diff --git a/examples/single sign on/cas/redirect_handler.sql b/examples/single sign on/cas/redirect_handler.sql index 70af5fb3..6c98efe3 100644 --- a/examples/single sign on/cas/redirect_handler.sql +++ b/examples/single sign on/cas/redirect_handler.sql @@ -7,7 +7,7 @@ select 'redirect' as component, '/cas/' as link where $ticket is null; -- We must then validate the ticket with the CAS server -- CAS v3 specifies the following URL for ticket validation (see https://apereo.github.io/cas/6.6.x/protocol/CAS-Protocol-Specification.html#28-p3servicevalidate-cas-30) -- https://cas.example.org/p3/serviceValidate?ticket=ST-1856339-aA5Yuvrxzpv8Tau1cYQ7&service=http://myclient.example.org/myapp&format=JSON -SET $ticket_url = +set ticket_url = sqlpage.environment_variable('CAS_ROOT_URL') || '/p3/serviceValidate' || '?ticket=' || sqlpage.url_encode($ticket) @@ -15,7 +15,7 @@ SET $ticket_url = || '&format=JSON'; -- We must then make a request to the CAS server to validate the ticket -set $validation_response = sqlpage.fetch($ticket_url); +set validation_response = sqlpage.fetch($ticket_url); -- If the ticket is invalid, the CAS server will return a 200 OK response with a JSON object like this: -- { "serviceResponse": { "authenticationFailure": { "code": "INVALID_TICKET", "description": "..." } } } diff --git a/examples/single sign on/index.sql b/examples/single sign on/index.sql index 7645020b..91273413 100644 --- a/examples/single sign on/index.sql +++ b/examples/single sign on/index.sql @@ -1,4 +1,4 @@ -set $user_email = (select email from user_sessions where session_id = sqlpage.cookie('session_id')); +set user_email = (select email from user_sessions where session_id = sqlpage.cookie('session_id')); select 'shell' as component, 'My secure app' as title, (case when $user_email is null then 'login' else 'logout' end) as menu_item; diff --git a/examples/single sign on/login.sql b/examples/single sign on/login.sql index bdd7d0a1..f2f298b1 100644 --- a/examples/single sign on/login.sql +++ b/examples/single sign on/login.sql @@ -1,4 +1,4 @@ -set $oauth_state = sqlpage.random_string(32); +set oauth_state = sqlpage.random_string(32); SELECT 'cookie' as component, 'oauth_state' as name, $oauth_state as value; diff --git a/examples/single sign on/oidc_redirect_handler.sql b/examples/single sign on/oidc_redirect_handler.sql index 289df9a6..d0f036e3 100644 --- a/examples/single sign on/oidc_redirect_handler.sql +++ b/examples/single sign on/oidc_redirect_handler.sql @@ -3,7 +3,7 @@ select 'redirect' as component, '/login.sql' as link where sqlpage.cookie('oauth_state') != $state; -- Exchange the authorization code for an access token -set $authorization_code_request = json_object( +set authorization_code_request = json_object( 'url', sqlpage.environment_variable('OIDC_TOKEN_ENDPOINT'), 'method', 'POST', 'headers', json_object( @@ -15,7 +15,7 @@ set $authorization_code_request = json_object( || '&client_id=' || sqlpage.environment_variable('OIDC_CLIENT_ID') || '&client_secret=' || sqlpage.environment_variable('OIDC_CLIENT_SECRET') ); -set $access_token = sqlpage.fetch($authorization_code_request); +set access_token = sqlpage.fetch($authorization_code_request); -- Redirect the user to the login page if the access token could not be obtained select 'redirect' as component, '/login.sql' as link where $access_token->>'error' is not null; @@ -23,14 +23,14 @@ select 'redirect' as component, '/login.sql' as link where $access_token->>'erro -- At this point we have $access_token which contains {"access_token":"eyJ...", "scope":"openid profile email" } -- Fetch the user's profile -set $profile_request = json_object( +set profile_request = json_object( 'url', sqlpage.environment_variable('OIDC_USERINFO_ENDPOINT'), 'method', 'GET', 'headers', json_object( 'Authorization', 'Bearer ' || ($access_token->>'access_token') ) ); -set $user_profile = sqlpage.fetch($profile_request); +set user_profile = sqlpage.fetch($profile_request); -- Redirect the user to the login page if the user's profile could not be obtained select 'redirect' as component, '/login.sql' as link where $user_profile->>'error' is not null; diff --git a/src/webserver/database/sql.rs b/src/webserver/database/sql.rs index 64eee946..5eed05e3 100644 --- a/src/webserver/database/sql.rs +++ b/src/webserver/database/sql.rs @@ -548,7 +548,7 @@ pub(super) fn function_args_to_stmt_params( - concatenations of the above (such as CONCAT(x, y)).\n\n\ Arbitrary SQL expressions as function arguments are not supported.\n\ Try executing the SQL expression in a separate SET expression, then passing it to the function:\n\n\ - SET $my_parameter = {arg}; \n\ + set my_parameter = {arg}; \n\ SELECT sqlpage.my_function($my_parameter);\n\n\ ")) })