Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Ability to use parameterized queries, including with textareas #7

Closed
simonw opened this issue Jan 11, 2023 · 4 comments
Closed

Ability to use parameterized queries, including with textareas #7

simonw opened this issue Jan 11, 2023 · 4 comments
Labels
enhancement New feature or request

Comments

@simonw
Copy link
Owner

simonw commented Jan 11, 2023
edited
Loading

This would have been useful for inserting a big blob of JSON data as seen in this TIL: https://til.simonwillison.net/sqlite/geopoly

I had to manually replace ' with '' in order to get the import to work.

It would have been better if I could have done this:

insert into raw_data (geojson) values (:geojson_textarea)

And had it detect the parameter and use it to add a textarea to the page.

Might have to detect it with JavaScript here since unlike GET read-only queries it's not safe to submit the query first.

Thought I could detect incoming POST that was missing those params and redirect to a ?sql= GET page that prepopulates the form and adds the form fields.

Need protection against clickjacking attacks if I do that though: prevent framing and add a short countdown before the submit button can be pressed.
@simonw simonw added the enhancement New feature or request label Jan 11, 2023
@simonw
Copy link
Owner Author

simonw commented Jan 11, 2023

Related:

@simonw simonw mentioned this issue Jan 11, 2023
Closed
@simonw
Copy link
Owner Author

simonw commented Feb 27, 2024
edited
Loading

Might have to detect it with JavaScript here since unlike GET read-only queries it's not safe to submit the query first.

Actually I can use the explain trick here for that: https://github.com/simonw/datasette/blob/dfd4ad558b74defbe23b01196260b087f9a56813/datasette/utils/__init__.py#L1130-L1140

That's in a (currently undocumented) utility function async def derive_named_parameters(db, sql):

It was added in 0.59 simonw/datasette@fc48468 so it's safe to use. I should document it in Datasette though to make sure it's part of the documented stable API.

@simonw simonw mentioned this issue Feb 27, 2024
Closed
simonw added a commit to simonw/datasette that referenced this issue Feb 27, 2024
@simonw
Documentation for derive_named_parameters()
c863443 
Closes #2284

Refs simonw/datasette-write#7 (comment)
@simonw simonw closed this as completed in 270d39f Feb 27, 2024
@simonw
Copy link
Owner Author

simonw commented Feb 27, 2024

Demo:

demo-params

I decided to have the green message fade out after 2s because otherwise submitting the form multiple times looked like nothing had happened.

@simonw
Copy link
Owner Author

simonw commented Feb 27, 2024

This syntax does not work in Python 3.8:

        response2 = await ds.client.post(
            "/-/write",
>           data={
                "sql": sql,
                "csrftoken": csrftoken,
                "database": database,
            }
            | params,
            cookies=cookies,
        )
E       TypeError: unsupported operand type(s) for |: 'dict' and 'dict'

simonw added a commit that referenced this issue Feb 27, 2024
@simonw
Test fix for Python 3.8, refs #7
1b97aa4
simonw added a commit that referenced this issue Feb 27, 2024
@simonw
Release 0.3
e9225c9 
Refs #1, #6, #7, #8, #9
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@simonw