new sqlpage.url_encode() function

Author: lovasoa

CHANGELOG.md

@@ -5,7 +5,7 @@
  - **variables** . SQLPage now support setting and reusing variables between statements. This allows you to write more complex SQL queries, and to reuse the result of a query in multiple places.
    ```sql
    -- Set a variable
-   SET person = 'Alice';
+   SET person = (select username from users where id = $id);
    -- Use it in a query
    SELECT 'text' AS component, 'Hello ' || $person AS contents;
    ```
@@ -20,6 +20,11 @@
   from json_each(sqlpage.exec('curl', 'https://jsonplaceholder.typicode.com/users'));
    ```
    This function is disabled by default for security reasons. To enable it, set the `allow_exec` configuration parameter to `true` in the [configuration](./configuration.md). Enabling it gives full access to the server to anyone who can write SQL queries on your website (this includes users with access to the local filesystem and users with write access to the `sqlpage_files` table on your database), so be careful !
+ - New `sqlpage.url_encode` function to percent-encode URL parameters.
+   ```sql
+   select 'card' as component;
+   select 'More...' as title, 'advanced_search.sql?query=' || sqlpage.url_encode($query)
+   ```
 
 ## 0.11.0 (2023-09-17)
  - Support for **environment variables** ! You can now read environment variables from sql code using `sqlpage.environment_variable('VAR_NAME')`.

examples/official-site/sqlpage/migrations/08_functions.sql

@@ -284,11 +284,11 @@ VALUES (
         'Returns the current version of SQLPage as a string.'
     );
 INSERT INTO sqlpage_functions (
-    "name",
-    "introduced_in_version",
-    "icon",
-    "description_md"
-)
+        "name",
+        "introduced_in_version",
+        "icon",
+        "description_md"
+    )
 VALUES (
         'exec',
         '0.12.0',
@@ -341,4 +341,42 @@ VALUES (
         'arguments...',
         'The arguments to pass to the program.',
         'TEXT'
+    );
+INSERT INTO sqlpage_functions (
+        "name",
+        "introduced_in_version",
+        "icon",
+        "description_md"
+    )
+VALUES (
+        'url_encode',
+        '0.12.0',
+        'percentage',
+        'Returns the given string, with all characters that are not allowed in a URL encoded.
+
+### Example
+    
+    ```sql
+    select ''text'' as component;
+    select ''https://example.com/?q='' || sqlpage.url_encode($user_search) as contents;
+    ```
+
+#### Result
+
+`https://example.com/?q=hello%20world`
+'
+    );
+INSERT INTO sqlpage_function_parameters (
+        "function",
+        "index",
+        "name",
+        "description_md",
+        "type"
+    )
+VALUES (
+        'url_encode',
+        1,
+        'string',
+        'The string to encode.',
+        'TEXT'
     );

src/webserver/database/sql_pseudofunctions.rs

@@ -26,6 +26,7 @@ pub(super) enum StmtParam {
     BasicAuthPassword,
     BasicAuthUsername,
     HashPassword(Box<StmtParam>),
+    UrlEncode(Box<StmtParam>),
     Exec(Vec<StmtParam>),
     RandomString(usize),
     CurrentWorkingDir,
@@ -57,6 +58,9 @@ pub(super) fn func_call_to_param(func_name: &str, arguments: &mut [FunctionArg])
         "current_working_directory" => StmtParam::CurrentWorkingDir,
         "environment_variable" => extract_single_quoted_string("environment_variable", arguments)
             .map_or_else(StmtParam::Error, StmtParam::EnvironmentVariable),
+        "url_encode" => {
+            StmtParam::UrlEncode(Box::new(extract_variable_argument("url_encode", arguments)))
+        }
         "version" => StmtParam::SqlPageVersion,
         unknown_name => StmtParam::Error(format!(
             "Unknown function {unknown_name}({})",
@@ -74,10 +78,35 @@ pub(super) async fn extract_req_param<'a>(
     Ok(match param {
         StmtParam::HashPassword(inner) => has_password_param(inner, request).await?,
         StmtParam::Exec(args_params) => exec_external_command(args_params, request).await?,
+        StmtParam::UrlEncode(inner) => url_encode(inner, request).await?,
         _ => extract_req_param_non_nested(param, request)?,
     })
 }
 
+async fn url_encode<'a>(
+    inner: &Box<StmtParam>,
+    request: &'a RequestInfo,
+) -> Result<Option<Cow<'a, str>>, anyhow::Error> {
+    let param = extract_req_param_non_nested(inner, request);
+    match param {
+        Ok(Some(Cow::Borrowed(inner))) => {
+            let encoded = percent_encoding::percent_encode(
+                inner.as_bytes(),
+                percent_encoding::NON_ALPHANUMERIC,
+            );
+            Ok(Some(encoded.into()))
+        }
+        Ok(Some(Cow::Owned(inner))) => {
+            let encoded = percent_encoding::percent_encode(
+                inner.as_bytes(),
+                percent_encoding::NON_ALPHANUMERIC,
+            );
+            Ok(Some(Cow::Owned(encoded.to_string())))
+        }
+        param => param,
+    }
+}
+
 async fn exec_external_command<'a>(
     args_params: &[StmtParam],
     request: &'a RequestInfo,
@@ -141,6 +170,7 @@ pub(super) fn extract_req_param_non_nested<'a>(
             .map(Some)?,
         StmtParam::HashPassword(_) => bail!("Nested hash_password() function not allowed"),
         StmtParam::Exec(_) => bail!("Nested exec() function not allowed"),
+        StmtParam::UrlEncode(_) => bail!("Nested url_encode() function not allowed"),
         StmtParam::RandomString(len) => Some(Cow::Owned(random_string(*len))),
         StmtParam::CurrentWorkingDir => cwd()?,
         StmtParam::EnvironmentVariable(var) => std::env::var(var)