CartoDB-SQL-API/app/models/psql.js

var _      = require('underscore')
    , Step   = require('step')
    , pg     = require('pg');//.native; // disabled for now due to: https://github.com/brianc/node-postgres/issues/48
_.mixin(require('underscore.string'));

// Max database connections in the pool
// Subsequent connections will block waiting for a free slot
pg.defaults.poolSize = global.settings.db_pool_size || 16;

// Milliseconds of idle time before removing connection from pool
pg.defaults.poolIdleTimeout = global.settings.db_pool_idleTimeout || 30000;

// Frequency to check for idle clients within the pool, ms
pg.defaults.reapIntervalMillis = global.settings.db_pool_reapInterval || 1000;

pg.on('error', function(err, client) {
  console.log("PostgreSQL connection error: " + err);
});

// Workaround for https://github.com/Vizzuality/CartoDB-SQL-API/issues/100
var types = require(__dirname + '/../../node_modules/pg/lib/types');
var arrayParser = require(__dirname + '/../../node_modules/pg/lib/types/arrayParser');
var floatParser = function(val) {
  return parseFloat(val);
};
var floatArrayParser = function(val) {
  if(!val) { return null; }
  var p = arrayParser.create(val, function(entry) {
    return floatParser(entry);
  });
  return p.parse();
};
types.setTypeParser(20, floatParser); // int8
types.setTypeParser(700, floatParser); // float4
types.setTypeParser(701, floatParser); // float8
types.setTypeParser(1700, floatParser); // numeric
types.setTypeParser(1021, floatArrayParser); // _float4
types.setTypeParser(1022, floatArrayParser); // _float8
types.setTypeParser(1231, floatArrayParser); // _numeric
types.setTypeParser(1016, floatArrayParser); // _int8

// Standard type->name mappnig (up to oid=2000)
var stdTypeName = {
    16: 'bool',
    17: 'bytea',
    20: 'int8',
    21: 'int2',
    23: 'int4',
    25: 'text',
    26: 'oid',
   114: 'JSON',
   700: 'float4',
   701: 'float8',
  1000: '_bool',
  1015: '_varchar',
  1042: 'bpchar',
  1043: 'varchar',
  1005: '_int2',
  1007: '_int4',
  1014: '_bpchar',
  1016: '_int8',
  1021: '_float4',
  1022: '_float8',
  1008: '_regproc',
  1009: '_text',
  1082: 'date',
  1114: 'timestamp',
  1182: '_date',
  1184: 'timestampz',
  1186: 'interval',
  1231: '_numeric',
  1700: 'numeric'
};

// Holds a typeId->typeName mapping for each
// database ever connected to
var extTypeName = {};

// PSQL
//
// A simple postgres wrapper with logic about username and database to connect
//
// * intended for use with pg_bouncer
// * defaults to connecting with a "READ ONLY" user to given DB if not passed a specific user_id
//
// @param opts connection options:
//    user: database username
//    pass: database user password
//    host: database host
//    port: database port
//    dbname: database name
//
var PSQL = function(dbopts) {

    var error_text = "Incorrect access parameters. If you are accessing via OAuth, please check your tokens are correct. For public users, please ensure your table is published."
    if ( ! dbopts || ( !_.isString(dbopts.user) && !_.isString(dbopts.dbname)))
    {
      // console.log("DBOPTS: "); console.dir(dbopts);
      throw new Error(error_text);
    }

    var me = {
        dbopts: dbopts
    };

    me.username = function(){
        return this.dbopts.user;
    };

    me.password = function(){
        return this.dbopts.pass;
    };

    me.database = function(){
        return this.dbopts.dbname;
    };

    me.dbhost = function(){
        return this.dbopts.host;
    };

    me.dbport = function(){
        return this.dbopts.port;
    };

    me.conString = "tcp://" + me.username() +
                    ":" + me.password() + // this line only if not-null ?
                    "@" +
                    me.dbhost() + ":" +
                    me.dbport() + "/" +
                    me.database();

    me.ensureTypeCache = function(cb) {
      var db = this.db;
      if ( extTypeName[db] ) { cb(); return; }
      pg.connect(this.conString, function(err, client, done) {
        if ( err ) { cb(err); return; }
        var types = ["'geometry'","'raster'"]; // types of interest
        client.query("SELECT oid, typname FROM pg_type where typname in (" + types.join(',') + ")", function(err,res) {
          done();
          if ( err ) { cb(err); return; }
          var cache = {};
          res.rows.map(function(r) {
            cache[r.oid] = r.typname;
          });
          extTypeName[db] = cache;
          cb();
        });
      });
    }

    // Return type name for a type identifier
    //
    // Possibly returns undefined, for unkonwn (uncached)
    //
    me.typeName = function(typeId) {
      return stdTypeName[typeId] ? stdTypeName[typeId] : extTypeName[this.db][typeId];
    }

    me.connect = function(cb){
      var that = this;
      this.ensureTypeCache(function(err) {
        if ( err ) cb(err);
        else pg.connect(that.conString, cb);
      });
    };

    me.eventedQuery = function(sql, callback){
        var that = this;

        Step(
            function(){
                that.sanitize(sql, this);
            },
            function(err, clean){
                if (err) throw err;
                that.connect(this);
            },
            function(err, client, done){
                if (err) throw err;
                var query = client.query(sql);

                // forward notices to query
                var noticeListener = function() {
                  query.emit('notice', arguments); 
                };
                client.on('notice', noticeListener);

                // NOTE: for some obscure reason passing "done" directly
                //       as the listener works but can be slower
                //      (by x2 factor!)
                query.on('end', function() {
                  client.removeListener('notice', noticeListener);
                  done();
                }); 
                return query;
            },
            function(err, query){
                callback(err, query)
            }
        );
    };

    me.quoteIdentifier = function(str) {
      return pg.Client.prototype.escapeIdentifier(str);
    };

    me.escapeLiteral = function(s) {
      return pg.Client.prototype.escapeLiteral(str);
    };

    me.query = function(sql, callback){
        var that = this;
        var finish;

        Step(
            function(){
                that.sanitize(sql, this);
            },
            function(err, clean){
                if (err) throw err;
                that.connect(this);
            },
            function(err, client, done){
                if (err) throw err;
                finish = done;
                client.query(sql, this);
            },
            function(err, res){

                // Release client to the pool
                // should this be postponed to after the callback ?
                // NOTE: if we pass a true value to finish() the client
                //       will be removed from the pool.
                //       We don't want this. Not now.
                if ( finish ) finish();

                callback(err, res)
            }
        );
    };

    // throw exception if illegal operations are detected
    // NOTE: this check is weak hack, better database
    //       permissions should be used instead.
    me.sanitize = function(sql, callback){
        // NOTE: illegal table access is checked in main app
        if (sql.match(/^\s+set\s+/i)){
            var error = new SyntaxError("SET command is forbidden");
            error.http_status = 403;
            callback(error); 
            return;
        }
        callback(null,true);
    };

    return me;
};

// little hack for UI
//
// TODO:drop, fix in the UI (it's not documented in doc/API)
//
PSQL.window_sql = function(sql, limit, offset) {
  // only window select functions (NOTE: "values" will be broken, "with" will be broken)
  if (!_.isNumber(limit) || !_.isNumber(offset) ) return sql;

  var cte = '';

  if ( sql.match(/^\s*WITH\s/i) ) {

    var rem = sql; // analyzed portion of sql
    var q; // quote char
    var n = 0; // nested parens level
    var s = 0; // 0:outQuote, 1:inQuote
    var l;
    while (1) {
      l = rem.search(/[("')]/);
//console.log("REM Is " + rem);
      if ( l < 0 ) {
        console.log("Malformed SQL");
        return sql;
      }
      var f = rem.charAt(l);
//console.log("n:" + n + " s:" + s + " l:" + l + " charAt(l):" + f + " charAt(l+1):" + rem.charAt(l+1));
      if ( s == 0 ) {
        if ( f == '(' ) ++n; 
        else if ( f == ')' ) {
          if ( ! --n ) { // end of CTE
            cte += rem.substr(0, l+1);
            rem = rem.substr(l+1);
  //console.log("Out of cte, rem is " + rem);
            if ( rem.search(/^s*,/) < 0 ) break;
            else continue; // cte and rem already updated
          }
        }
        else { // enter quoting
          s = 1; q = f;
        }
      }
      else if ( f == q ) {
        if ( rem.charAt(l+1) == f ) ++l; // escaped
        else s = 0; // exit quoting
      }
      cte += rem.substr(0, l+1);
      rem = rem.substr(l+1);
    }
/*
console.log("cte: " + cte);
console.log("rem: " + rem);
*/
    sql = rem; //sql.substr(l+1);
  }


  if ( sql.match(/^\s*SELECT\s/i) ) {
      return cte + "SELECT * FROM (" + sql + ") AS cdbq_1 LIMIT " + limit + " OFFSET " + offset;
  } 

  return cte + sql;
}

module.exports = PSQL;
first draft, tidied, unit tests, modules, refactor, environments, see TODO for next steps" 2011-06-13 11:23:02 +08:00			`var _ = require('underscore')`
add system table sanitizer 2011-11-22 08:06:14 +08:00			`, Step = require('step')`
			`, pg = require('pg');//.native; // disabled for now due to: https://github.com/brianc/node-postgres/issues/48`
			`_.mixin(require('underscore.string'));`
first draft, tidied, unit tests, modules, refactor, environments, see TODO for next steps" 2011-06-13 11:23:02 +08:00
Survive postgresql connection losses. Closes #95. 2013-05-25 00:16:12 +08:00			`// Max database connections in the pool`
			`// Subsequent connections will block waiting for a free slot`
			`pg.defaults.poolSize = global.settings.db_pool_size \|\| 16;`

			`// Milliseconds of idle time before removing connection from pool`
			`pg.defaults.poolIdleTimeout = global.settings.db_pool_idleTimeout \|\| 30000;`

			`// Frequency to check for idle clients within the pool, ms`
			`pg.defaults.reapIntervalMillis = global.settings.db_pool_reapInterval \|\| 1000;`

			`pg.on('error', function(err, client) {`
			`console.log("PostgreSQL connection error: " + err);`
			`});`

Parse all numbers as floats. Closes #100 2013-07-10 03:50:28 +08:00			`// Workaround for https://github.com/Vizzuality/CartoDB-SQL-API/issues/100`
			`var types = require(__dirname + '/../../node_modules/pg/lib/types');`
			`var arrayParser = require(__dirname + '/../../node_modules/pg/lib/types/arrayParser');`
			`var floatParser = function(val) {`
			`return parseFloat(val);`
			`};`
			`var floatArrayParser = function(val) {`
			`if(!val) { return null; }`
			`var p = arrayParser.create(val, function(entry) {`
			`return floatParser(entry);`
			`});`
			`return p.parse();`
			`};`
Use float parsing for int8 too This makes us ready to upgrade to node-pg 2.x 2013-07-23 00:22:30 +08:00			`types.setTypeParser(20, floatParser); // int8`
			`types.setTypeParser(700, floatParser); // float4`
			`types.setTypeParser(701, floatParser); // float8`
			`types.setTypeParser(1700, floatParser); // numeric`
			`types.setTypeParser(1021, floatArrayParser); // _float4`
			`types.setTypeParser(1022, floatArrayParser); // _float8`
			`types.setTypeParser(1231, floatArrayParser); // _numeric`
			`types.setTypeParser(1016, floatArrayParser); // _int8`
Parse all numbers as floats. Closes #100 2013-07-10 03:50:28 +08:00
Improve recognition of non-standard field types names by db lookup Closes #112. Only looks up "geometry" and "raster" types for now, can be improved over time. 2013-10-02 16:22:13 +08:00			`// Standard type->name mappnig (up to oid=2000)`
			`var stdTypeName = {`
			`16: 'bool',`
			`17: 'bytea',`
			`20: 'int8',`
			`21: 'int2',`
			`23: 'int4',`
			`25: 'text',`
			`26: 'oid',`
			`114: 'JSON',`
			`700: 'float4',`
			`701: 'float8',`
			`1000: '_bool',`
			`1015: '_varchar',`
			`1042: 'bpchar',`
			`1043: 'varchar',`
			`1005: '_int2',`
			`1007: '_int4',`
			`1014: '_bpchar',`
			`1016: '_int8',`
			`1021: '_float4',`
			`1022: '_float8',`
			`1008: '_regproc',`
			`1009: '_text',`
JSON format: correctly recognize "date" type columns Closes #117 -- includes testcase 2013-11-06 18:43:56 +08:00			`1082: 'date',`
Improve recognition of non-standard field types names by db lookup Closes #112. Only looks up "geometry" and "raster" types for now, can be improved over time. 2013-10-02 16:22:13 +08:00			`1114: 'timestamp',`
JSON format: correctly recognize "date" type columns Closes #117 -- includes testcase 2013-11-06 18:43:56 +08:00			`1182: '_date',`
Improve recognition of non-standard field types names by db lookup Closes #112. Only looks up "geometry" and "raster" types for now, can be improved over time. 2013-10-02 16:22:13 +08:00			`1184: 'timestampz',`
			`1186: 'interval',`
			`1231: '_numeric',`
			`1700: 'numeric'`
			`};`

			`// Holds a typeId->typeName mapping for each`
			`// database ever connected to`
			`var extTypeName = {};`
Survive postgresql connection losses. Closes #95. 2013-05-25 00:16:12 +08:00
first draft, tidied, unit tests, modules, refactor, environments, see TODO for next steps" 2011-06-13 11:23:02 +08:00			`// PSQL`
			`//`
			`// A simple postgres wrapper with logic about username and database to connect`
			`//`
			`// * intended for use with pg_bouncer`
			`// * defaults to connecting with a "READ ONLY" user to given DB if not passed a specific user_id`
Refactor PSQL model to take full db config in the constructor Closes #58, stops reading configuration variables itself 2013-11-18 18:42:43 +08:00			`//`
			`// @param opts connection options:`
			`// user: database username`
			`// pass: database user password`
			`// host: database host`
			`// port: database port`
			`// dbname: database name`
			`//`
			`var PSQL = function(dbopts) {`
added body_hash to oauth check and stopped firing exception if incomplete oauth variables sent 2011-08-22 20:33:12 +08:00
add system table sanitizer 2011-11-22 08:06:14 +08:00			`var error_text = "Incorrect access parameters. If you are accessing via OAuth, please check your tokens are correct. For public users, please ensure your table is published."`
Refactor PSQL model to take full db config in the constructor Closes #58, stops reading configuration variables itself 2013-11-18 18:42:43 +08:00			`if ( ! dbopts \|\| ( !_.isString(dbopts.user) && !_.isString(dbopts.dbname)))`
			`{`
			`// console.log("DBOPTS: "); console.dir(dbopts);`
			`throw new Error(error_text);`
			`}`
add system table sanitizer 2011-11-22 08:06:14 +08:00
			`var me = {`
Refactor PSQL model to take full db config in the constructor Closes #58, stops reading configuration variables itself 2013-11-18 18:42:43 +08:00			`dbopts: dbopts`
add system table sanitizer 2011-11-22 08:06:14 +08:00			`};`

			`me.username = function(){`
Refactor PSQL model to take full db config in the constructor Closes #58, stops reading configuration variables itself 2013-11-18 18:42:43 +08:00			`return this.dbopts.user;`
add system table sanitizer 2011-11-22 08:06:14 +08:00			`};`

Optionally read user-specific database_password from redis Follows CartoDB-2.5.0 model. Includes testcase. Closes #120 -- Jira ref CDB-870 2013-11-18 20:31:11 +08:00			`me.password = function(){`
			`return this.dbopts.pass;`
			`};`

add system table sanitizer 2011-11-22 08:06:14 +08:00			`me.database = function(){`
Refactor PSQL model to take full db config in the constructor Closes #58, stops reading configuration variables itself 2013-11-18 18:42:43 +08:00			`return this.dbopts.dbname;`
			`};`

			`me.dbhost = function(){`
			`return this.dbopts.host;`
			`};`
add system table sanitizer 2011-11-22 08:06:14 +08:00
Refactor PSQL model to take full db config in the constructor Closes #58, stops reading configuration variables itself 2013-11-18 18:42:43 +08:00			`me.dbport = function(){`
			`return this.dbopts.port;`
add system table sanitizer 2011-11-22 08:06:14 +08:00			`};`

Optionally read user-specific database_password from redis Follows CartoDB-2.5.0 model. Includes testcase. Closes #120 -- Jira ref CDB-870 2013-11-18 20:31:11 +08:00			`me.conString = "tcp://" + me.username() +`
			`":" + me.password() + // this line only if not-null ?`
			`"@" +`
Refactor PSQL model to take full db config in the constructor Closes #58, stops reading configuration variables itself 2013-11-18 18:42:43 +08:00			`me.dbhost() + ":" +`
			`me.dbport() + "/" +`
Expose PostgreSQL client pooling settings in environment files Actually also moves to a real pooling model, managed by node-pg. Closes #47 See .example files for new configurations 2013-05-24 18:06:14 +08:00			`me.database();`

Improve recognition of non-standard field types names by db lookup Closes #112. Only looks up "geometry" and "raster" types for now, can be improved over time. 2013-10-02 16:22:13 +08:00			`me.ensureTypeCache = function(cb) {`
			`var db = this.db;`
			`if ( extTypeName[db] ) { cb(); return; }`
			`pg.connect(this.conString, function(err, client, done) {`
			`if ( err ) { cb(err); return; }`
			`var types = ["'geometry'","'raster'"]; // types of interest`
			`client.query("SELECT oid, typname FROM pg_type where typname in (" + types.join(',') + ")", function(err,res) {`
			`done();`
			`if ( err ) { cb(err); return; }`
			`var cache = {};`
			`res.rows.map(function(r) {`
			`cache[r.oid] = r.typname;`
			`});`
			`extTypeName[db] = cache;`
			`cb();`
			`});`
			`});`
			`}`

			`// Return type name for a type identifier`
			`//`
			`// Possibly returns undefined, for unkonwn (uncached)`
			`//`
			`me.typeName = function(typeId) {`
			`return stdTypeName[typeId] ? stdTypeName[typeId] : extTypeName[this.db][typeId];`
			`}`

			`me.connect = function(cb){`
			`var that = this;`
			`this.ensureTypeCache(function(err) {`
			`if ( err ) cb(err);`
			`else pg.connect(that.conString, cb);`
			`});`
			`};`

Switch to using evented query model for postgresql This enables formats for processing rows as they arrive from the database, thus possibly reducing memory use. For a start the skip fields are immediately removed from the result, rather than only at the end. 2013-05-29 20:36:31 +08:00			`me.eventedQuery = function(sql, callback){`
			`var that = this;`

			`Step(`
			`function(){`
			`that.sanitize(sql, this);`
			`},`
			`function(err, clean){`
			`if (err) throw err;`
Improve recognition of non-standard field types names by db lookup Closes #112. Only looks up "geometry" and "raster" types for now, can be improved over time. 2013-10-02 16:22:13 +08:00			`that.connect(this);`
Switch to using evented query model for postgresql This enables formats for processing rows as they arrive from the database, thus possibly reducing memory use. For a start the skip fields are immediately removed from the result, rather than only at the end. 2013-05-29 20:36:31 +08:00			`},`
			`function(err, client, done){`
			`if (err) throw err;`
			`var query = client.query(sql);`
Add warnings and notices to JSON response. Closes #104. 2013-11-19 00:01:06 +08:00
			`// forward notices to query`
			`var noticeListener = function() {`
			`query.emit('notice', arguments);`
			`};`
			`client.on('notice', noticeListener);`

Switch to using evented query model for postgresql This enables formats for processing rows as they arrive from the database, thus possibly reducing memory use. For a start the skip fields are immediately removed from the result, rather than only at the end. 2013-05-29 20:36:31 +08:00			`// NOTE: for some obscure reason passing "done" directly`
			`// as the listener works but can be slower`
			`// (by x2 factor!)`
Add warnings and notices to JSON response. Closes #104. 2013-11-19 00:01:06 +08:00			`query.on('end', function() {`
			`client.removeListener('notice', noticeListener);`
			`done();`
			`});`
Switch to using evented query model for postgresql This enables formats for processing rows as they arrive from the database, thus possibly reducing memory use. For a start the skip fields are immediately removed from the result, rather than only at the end. 2013-05-29 20:36:31 +08:00			`return query;`
			`},`
			`function(err, query){`
			`callback(err, query)`
			`}`
			`);`
Fix missing .prj file in shapefile format Finds srid, when needed, with an additional query. Closes #110. Includes testcases. 2013-10-01 23:19:44 +08:00			`};`

			`me.quoteIdentifier = function(str) {`
Upgrade node-pg dependency to 2.6.2 Simplifies PSQL.quoteIdentifier and exposes PSQL.quoteLiteral 2013-10-02 18:32:07 +08:00			`return pg.Client.prototype.escapeIdentifier(str);`
Fix missing .prj file in shapefile format Finds srid, when needed, with an additional query. Closes #110. Includes testcases. 2013-10-01 23:19:44 +08:00			`};`

			`me.escapeLiteral = function(s) {`
Upgrade node-pg dependency to 2.6.2 Simplifies PSQL.quoteIdentifier and exposes PSQL.quoteLiteral 2013-10-02 18:32:07 +08:00			`return pg.Client.prototype.escapeLiteral(str);`
Fix missing .prj file in shapefile format Finds srid, when needed, with an additional query. Closes #110. Includes testcases. 2013-10-01 23:19:44 +08:00			`};`
Switch to using evented query model for postgresql This enables formats for processing rows as they arrive from the database, thus possibly reducing memory use. For a start the skip fields are immediately removed from the result, rather than only at the end. 2013-05-29 20:36:31 +08:00
Bubble paging UI hack up from model to controller ... one day we'll need to completely drop this hack! 2013-05-24 16:22:17 +08:00			`me.query = function(sql, callback){`
add system table sanitizer 2011-11-22 08:06:14 +08:00			`var that = this;`
Expose PostgreSQL client pooling settings in environment files Actually also moves to a real pooling model, managed by node-pg. Closes #47 See .example files for new configurations 2013-05-24 18:06:14 +08:00			`var finish;`
add system table sanitizer 2011-11-22 08:06:14 +08:00
			`Step(`
			`function(){`
			`that.sanitize(sql, this);`
			`},`
			`function(err, clean){`
			`if (err) throw err;`
Improve recognition of non-standard field types names by db lookup Closes #112. Only looks up "geometry" and "raster" types for now, can be improved over time. 2013-10-02 16:22:13 +08:00			`that.connect(this);`
add system table sanitizer 2011-11-22 08:06:14 +08:00			`},`
Expose PostgreSQL client pooling settings in environment files Actually also moves to a real pooling model, managed by node-pg. Closes #47 See .example files for new configurations 2013-05-24 18:06:14 +08:00			`function(err, client, done){`
Hide dangerous methods of the PSQL model class These steps are prepatorial to recactoring to event-based model 2013-05-24 16:38:27 +08:00			`if (err) throw err;`
Expose PostgreSQL client pooling settings in environment files Actually also moves to a real pooling model, managed by node-pg. Closes #47 See .example files for new configurations 2013-05-24 18:06:14 +08:00			`finish = done;`
Bubble paging UI hack up from model to controller ... one day we'll need to completely drop this hack! 2013-05-24 16:22:17 +08:00			`client.query(sql, this);`
add system table sanitizer 2011-11-22 08:06:14 +08:00			`},`
			`function(err, res){`
Expose PostgreSQL client pooling settings in environment files Actually also moves to a real pooling model, managed by node-pg. Closes #47 See .example files for new configurations 2013-05-24 18:06:14 +08:00
			`// Release client to the pool`
			`// should this be postponed to after the callback ?`
			`// NOTE: if we pass a true value to finish() the client`
			`// will be removed from the pool.`
			`// We don't want this. Not now.`
			`if ( finish ) finish();`

add system table sanitizer 2011-11-22 08:06:14 +08:00			`callback(err, res)`
			`}`
			`);`
			`};`

Make using SET or querying system catalogues harder An hack to "prevent" querying system tables already existed but was pretty weak. This commits makes that a bit stronger. The filter for SET is new. 2013-04-09 17:49:05 +08:00			`// throw exception if illegal operations are detected`
			`// NOTE: this check is weak hack, better database`
			`// permissions should be used instead.`
add system table sanitizer 2011-11-22 08:06:14 +08:00			`me.sanitize = function(sql, callback){`
Rework system catalogue prevention access check to use CDB_QueryTables This change reduces the chances of false positive (forbidding legit queries). Doesn't solve the problem of false negative (allowing illegit queries). 2013-04-09 18:36:37 +08:00			`// NOTE: illegal table access is checked in main app`
Make using SET or querying system catalogues harder An hack to "prevent" querying system tables already existed but was pretty weak. This commits makes that a bit stronger. The filter for SET is new. 2013-04-09 17:49:05 +08:00			`if (sql.match(/^\s+set\s+/i)){`
			`var error = new SyntaxError("SET command is forbidden");`
			`error.http_status = 403;`
			`callback(error);`
			`return;`
add system table sanitizer 2011-11-22 08:06:14 +08:00			`}`
Make using SET or querying system catalogues harder An hack to "prevent" querying system tables already existed but was pretty weak. This commits makes that a bit stronger. The filter for SET is new. 2013-04-09 17:49:05 +08:00			`callback(null,true);`
add system table sanitizer 2011-11-22 08:06:14 +08:00			`};`

			`return me;`
first draft, tidied, unit tests, modules, refactor, environments, see TODO for next steps" 2011-06-13 11:23:02 +08:00			`};`

Add support for CTE in sql windowing, add unit tests This is still an undocumented feature, but as long as it's present and used (by cartodb UI) better tested than broken... NOTE: more tests are needed for CTE and RETURNING queries 2013-06-14 17:18:16 +08:00			`// little hack for UI`
			`//`
			`// TODO:drop, fix in the UI (it's not documented in doc/API)`
			`//`
			`PSQL.window_sql = function(sql, limit, offset) {`
			`// only window select functions (NOTE: "values" will be broken, "with" will be broken)`
			`if (!_.isNumber(limit) \|\| !_.isNumber(offset) ) return sql;`

			`var cte = '';`

			`if ( sql.match(/^\s*WITH\s/i) ) {`

			`var rem = sql; // analyzed portion of sql`
			`var q; // quote char`
			`var n = 0; // nested parens level`
			`var s = 0; // 0:outQuote, 1:inQuote`
			`var l;`
			`while (1) {`
			`l = rem.search(/[("')]/);`
			`//console.log("REM Is " + rem);`
			`if ( l < 0 ) {`
			`console.log("Malformed SQL");`
			`return sql;`
			`}`
			`var f = rem.charAt(l);`
			`//console.log("n:" + n + " s:" + s + " l:" + l + " charAt(l):" + f + " charAt(l+1):" + rem.charAt(l+1));`
			`if ( s == 0 ) {`
			`if ( f == '(' ) ++n;`
			`else if ( f == ')' ) {`
			`if ( ! --n ) { // end of CTE`
			`cte += rem.substr(0, l+1);`
			`rem = rem.substr(l+1);`
			`//console.log("Out of cte, rem is " + rem);`
			`if ( rem.search(/^s*,/) < 0 ) break;`
			`else continue; // cte and rem already updated`
			`}`
			`}`
			`else { // enter quoting`
			`s = 1; q = f;`
			`}`
			`}`
			`else if ( f == q ) {`
			`if ( rem.charAt(l+1) == f ) ++l; // escaped`
			`else s = 0; // exit quoting`
			`}`
			`cte += rem.substr(0, l+1);`
			`rem = rem.substr(l+1);`
			`}`
			`/*`
			`console.log("cte: " + cte);`
			`console.log("rem: " + rem);`
			`*/`
			`sql = rem; //sql.substr(l+1);`
			`}`


			`if ( sql.match(/^\s*SELECT\s/i) ) {`
			`return cte + "SELECT * FROM (" + sql + ") AS cdbq_1 LIMIT " + limit + " OFFSET " + offset;`
			`}`

			`return cte + sql;`
			`}`

Introduced a new parameter db_port to change it in a easy way Some space and linebreaks cleaning 2011-06-13 18:31:50 +08:00			`module.exports = PSQL;`