|
| 1 | +# SQL expansion command |
| 2 | + |
| 3 | +The command `sqlexpand` can be used to expand environment variables within an SQL query in a safe way (i.e. handling embedded quotes). |
| 4 | + |
| 5 | +The library `sqlexpand.o` can be used in other tools to achieve the same objective. |
| 6 | + |
| 7 | +Note that some options are enabled / disabled by flags on the `sqlexpand` command, see `--help` for details. |
| 8 | + |
| 9 | +## Simple expansion |
| 10 | + |
| 11 | +The simplest expansion is just `$` followed by a variable name (starts as a letter, or underscore, then letters, underscore or number). |
| 12 | + |
| 13 | +However, if the next thing is a letter or number you can include the name in curly braces, e.g `${variable}`. |
| 14 | + |
| 15 | +## Prefix |
| 16 | + |
| 17 | +Immediately before the variable name (and inside `{...}` if present) can be a number of prefixes. |
| 18 | + |
| 19 | +|`?`| Used in some special cases, such as testing if a variable exists.| |
| 20 | +|`@`| Consider the expanded value as a filename and read the value from that file.| |
| 21 | +|`-`| Replace all `'`, `"` or `` ` `` with `_` (underscore).| |
| 22 | +|`,`| Ensures quotes around the expansion. Changes tab or comma to quote,comma,quote to make a clean list.| |
| 23 | +|`+`| URL encode the value. e.g. `?name=$+value`. Use `++` to double escape. Note encodes space a `%20` not `+` so can be used in path. Does not escape `/`.| |
| 24 | +|`#`| Made MD5 of value, use `##` for SHA1. Value is hex (lower case).| |
| 25 | +|`=`| Base64 encode the value. If used with `#` or `##` then this is base64 of the binary hash instead of hex.| |
| 26 | +|`%`| Trust this variable (use with care) so allowing expansion outside quotes as is with no escaping.|| |
| 27 | + |
| 28 | +Only use `$%variable` with great care, and ensure any construction of the variable value uses sqlexpand to safely escape what is being set. |
| 29 | + |
| 30 | +## Special variable |
| 31 | + |
| 32 | +Instead of the variable name itself there are some special variables. Some of these match a prefix, and so these work where not followed by a letter or underscore (use `{...}` if needed, e.g. `xx${@}xx`). |
| 33 | + |
| 34 | +|`$variable`| If the variable name itself starts with a $ then the variable contains a variable name. E.g. If variable `X` contains `A` then `${$X}` is the same as `$A`.| |
| 35 | +|`$`| Generate the parent PID (deprecated)| |
| 36 | +|`@`| Generate a timestamp of current directory| |
| 37 | +|`<`| Read stdin| |
| 38 | +|`\`| Generate a back tick (so starts/ends back tick quoting if used outside other quotes).| |
| 39 | +|`/`| Generate a single quote (so starts/ends single quoting if used outside other quotes).| |
| 40 | + |
| 41 | +## Index |
| 42 | + |
| 43 | +Immediately after the variable name (and inside `{...}` if present) can be an index of the form `[number]`. If present then the number is used as a n index in to the value. The value is split on tab characters and index `[1]` if the first part. This is done before considering any suffix. |
| 44 | + |
| 45 | +## Suffix |
| 46 | + |
| 47 | +Immediately after the variable name (and inside `{...}`, and after `[...]`, if present) can be a number of suffixes. |
| 48 | + |
| 49 | +|`:h'| Head of path, removes all after last slash.| |
| 50 | +|`:t'| Tail of path, only from after last slash (unchanged if no slash).| |
| 51 | +|`:e'| Extension. Everything after final dot if after last slash. Blank if no dot after last slash.| |
| 52 | +|`:r'| Remove extension. Removes last dot and anything after if it, if dot is after a slash.| |
| 53 | + |
| 54 | +## Checking |
| 55 | + |
| 56 | +The final SQL has to then pass some tests to help catch any remaining possible SQL injection (e.g. from `$%variable`). |
| 57 | + |
| 58 | +- Must have correctly balanced quotes (`'`, `"` and `` ` ``). |
| 59 | +- Must not contain an unquoted `;`, i.e. an attempt to make multiple commands. |
| 60 | +- Must not contain an unquoted `#`, `/*` or `--` , i.e. an attempt to include a comment. |
| 61 | + |
0 commit comments