The auto_literal_strings extension treats string values passed as filter arguments as SQL query fragments. This is the behavior of previous versions of Sequel
. Using this extension makes using raw SQL fragments easier, since you don’t need to wrap them with Sequel.lit, but also makes it easier to introduce SQL injection vulnerabilities into the application. It is only recommended to use this extension for backwards compatibility with previous versions of Sequel
.
With this extension, if a single string is given, it is used as an SQL query fragment:
ds = DB[:table].extension(:auto_literal_strings) ds.where("name > 'A'") # SELECT * FROM table WHERE (name > 'A')
If additional arguments are given, they are used as placeholders:
ds.where("name > ?", "A") # SELECT * FROM table WHERE (name > 'A')
Named placeholders can also be used with a hash:
ds.where("name > :a", a: "A") # SELECT * FROM table WHERE (name > 'A')
This extension also allows the use of a plain string passed to Dataset#update:
ds.update("column = column + 1") # UPDATE table SET column = column + 1
Related module: Sequel::Dataset::AutoLiteralStrings