From b3fe39d3a7da8c6d8759e9c668e1536bb3b1daf1 Mon Sep 17 00:00:00 2001
From: Jamie Matthews <jamie.matthews@gmail.com>
Date: Fri, 26 Feb 2010 21:08:06 +0000
Subject: Fixed multiple bugs in query building

* ORDER BY, LIMIT and OFFSET parameters cannot be bound to the query
as the database surrounds them with quotes, formining invalid SQL.
They are now simply concatenated to the SQL string. The documentation
has been updated to mark these as "unsafe" and not suitable for use with
unfiltered user input.

* ORDER BY should come before LIMIT and OFFSET.
---
 README.markdown | 6 ++++++
 1 file changed, 6 insertions(+)

(limited to 'README.markdown')

diff --git a/README.markdown b/README.markdown
index 1f6ba17..0aefe23 100644
--- a/README.markdown
+++ b/README.markdown
@@ -55,6 +55,8 @@ Idiorm provides a [*fluent interface*](http://en.wikipedia.org/wiki/Fluent_inter
 
 All Idiorm queries start with a call to the `for_table` static method on the ORM class. This tells the ORM which table to use when making the query. Method calls which are then strung together. Finally, the chain is finished by calling either `find_one()` or `find_many()`, which executes the query and returns the result.
 
+*Note that this method **does not** escape its query parameter and so the table name should **not** be passed directly from user input.*
+
 Let's start with a simple example. Say we have a table called `person` which contains the columns `id` (the primary key of the record - Idiorm assumes the primary key column is called `id` but this is configurable, see below), `name`, `age` and `gender`.
 
 #### Single records ####
@@ -107,12 +109,16 @@ Note that this method only supports "question mark placeholder" syntax, and NOT
 
 #### LIMIT and OFFSET ####
 
+*Note that these methods **do not** escape their query parameters and so these should **not** be passed directly from user input.*
+
 The `limit` and `offset` methods map pretty closely to their SQL equivalents.
 
     $people = ORM::for_table('person')->where('gender', 'female')->limit(5)->offset(10)->find_many();
 
 #### ORDER BY ####
 
+*Note that this method **does not** escape its query parameter and so this should **not** be passed directly from user input.*
+
 Two methods are provided to add `ORDER BY` clauses to your query. These are `order_by_desc` and `order_by_asc`, each of which takes a column name to sort by.
 
     $people = ORM::for_table('person')->order_by_asc('gender')->order_by_desc('name')->find_many();
-- 
cgit v1.2.3