SQL language injection help
If my string containing SQL starts with SELECT, UPDATE, INSERT, etc it is recognized as SQL and syntax highlighting work. If it starts with “WITH” or a comment ("--") it's not recognized. I can add an explicit @lang comment to get it to work, but, that's tedious and ugly.
Can I declare a function parameter with a lang attribute so it's always interpreted as SQL at the call site?
I've tried messing with the injection rules, but haven't had success.
Thanks for any help
请先登录再写评论。
Hi there,
On one hand: the Language Injection rule would be the best as it will work in all places. On another hand – it can cause false positives (if you have a plain string that starts with a similar sequence).
Yes, if it's a code that you can edit. Use special #[Language] PHP Attribute by JetBrains:
Do you have a few examples of such a strings? I have this rules, seems to work (a clone from similar rule for JS context):
Both approaches work great. Thank you so much!
And since you asked for an example:
WITH expanded_multipacks AS (
SELECT id, mp_model, pack, pack_num
FROM (SELECT id,
model AS mp_model,
packs,
UNNEST(ARRAY [pack1_ref2, pack2_ref2, pack3_ref2, pack4_ref2, pack5_ref2]) AS pack,
generate_series(1, 5) AS pack_num
FROM tblups_multipacks) _inner
WHERE pack_num <= packs -- ignore unused packs
)
SELECT coalesce(pack, modelnumber) AS model,
coalesce(mp_model, '') AS mp_model,
qty,
shipqty
FROM fun_display_shipment_status($1)
LEFT OUTER JOIN expanded_multipacks ON mp_model = modelnumber
WHERE shipqty > 0;
Thanks, the aforementioned injection rule works for that code just fine, even for a variable (e.g.
$sql = “WITH…”
).P.S. There is another way of injecting the same (can work with any function, even if it's not your code / the code that you cannot edit). But there are some restrictions:
Could be used for 3rd party code (if the above conditions are OK).
Thanks for the followup. That's good to know!