Do not auto parameterize PostgreSQL range and multirange types containing expressions

In general, you can only parameterize values, and ranges and
multiranges can contain expressions. Check whether the start and
end of the range, and whether the elements of the multirange, are
themselves parameterizable before using auto parameterization.

Note that even if auto parameterization is skipped, range
literalization will only work correctly for ranges with types.
If a range doesn't have a type, Sequel will try to literalize
the value embedded in a string, which won't work for expressions.
This doesn't appear to be fixable, because PostgreSQL doesn't
offer a function to create an untyped range.

Author: jeremyevans

CHANGELOG

@@ -1,5 +1,7 @@
 === master
 
+* Do not auto parameterize PostgreSQL range and multirange types containing expressions (jeremyevans)
+
 * Support sort and reverse methods in pg_array_ops extension on PostgreSQL 18+ (jeremyevans)
 
 * Support :in_arrays option for Postgres::JSON{,B}#strip_nulls in pg_json_ops extension on PostgreSQL 18+ (jeremyevans)

lib/sequel/extensions/pg_multirange.rb

@@ -339,7 +339,7 @@ def unquoted_literal(ds)
 
       # Allow automatic parameterization.
       def sequel_auto_param_type(ds)
-        "::#{db_type}"
+        "::#{db_type}" if all?{|range| range.is_a?(Range) || ds.send(:auto_param_type, range)}
       end
     end
   end

lib/sequel/extensions/pg_range.rb

@@ -481,9 +481,9 @@ def unquoted_literal(ds)
         end
       end
 
-      # Allow automatic parameterization for ranges with types.
+      # Allow automatic parameterization for ranges with types, if both start .
       def sequel_auto_param_type(ds)
-        "::#{db_type}" if db_type
+        "::#{db_type}" if db_type && (!@begin || ds.send(:auto_param_type, @begin)) && (!@end || ds.send(:auto_param_type, @end))
       end
 
       private

spec/adapters/postgres_spec.rb

@@ -5190,6 +5190,14 @@ def left_item_id
     @db.get(Sequel.cast(eval('nil...nil'), :int4range)).wont_be :==, Sequel::Postgres::PGRange.new(nil, 1, :exclude_begin=>true, :db_type=>"int4range")
   end if RUBY_VERSION >= '2.7'
 
+  it 'handle ranges with expressions' do
+    @db.create_table!(:items){Integer :b; Integer :e}
+    Sequel.extension :pg_range_ops
+    @db[:items].insert(1, 3)
+    @db[:items].get(Sequel::Postgres::PGRange.new(:b, :e, :db_type => :int4range).op.contains(2)).must_equal true
+    @db[:items].get(Sequel::Postgres::PGRange.new(:b, :e, :db_type => :int4range).op.contains(4)).must_equal false
+  end
+
   it 'parse default values for schema' do
     @db.create_table!(:items) do
       Integer :j
@@ -5403,6 +5411,14 @@ def left_item_id
     v.each{|k,v1| v1.must_be :==, @pgra[k].to_a}
   end
 
+  it 'handle multiranges containing ranges with expressions' do
+    @db.create_table!(:items){Integer :b; Integer :e}
+    Sequel.extension :pg_range_ops
+    @db[:items].insert(1, 3)
+    @db[:items].get(Sequel.pg_multirange([Sequel::Postgres::PGRange.new(:b, :e, :db_type => :int4range)], :int4multirange).op.contains(2)).must_equal true
+    @db[:items].get(Sequel.pg_multirange([Sequel::Postgres::PGRange.new(:b, :e, :db_type => :int4range)], :int4multirange).op.contains(4)).must_equal false
+  end
+
   it 'operations/functions with pg_range_ops' do
     Sequel.extension :pg_range_ops
     mr = lambda do |range|

spec/extensions/pg_auto_parameterize_spec.rb

@@ -378,16 +378,25 @@ def copy_table_sql(ds, *) "COPY TABLE #{ds.is_a?(Sequel::Dataset) ? ds.sql : ds}
     sql.args.must_equal [v]
   end
 
-  it "should automatically parameterize pg_multirange values" do
+  it "should automatically parameterize pg_multirange values if they are parameterizable" do
     @db.extension :pg_multirange
     v = Sequel.pg_multirange([1..2, 5..6], :int4multirange)
     sql = @db[:table].insert_sql(v)
     sql.must_equal 'INSERT INTO "table" VALUES ($1::int4multirange)'
-    sql.args.length.must_equal 1
     sql.args.must_equal [v]
+
+    v = Sequel.pg_multirange([Sequel::Postgres::PGRange.new(1, nil, :db_type => :int4range)], :int4multirange)
+    sql = @db[:table].insert_sql(v)
+    sql.must_equal 'INSERT INTO "table" VALUES ($1::int4multirange)'
+    sql.args.must_equal [v]
+
+    v = Sequel.pg_multirange([Sequel::Postgres::PGRange.new(1, :en, :db_type => :int4range)], :int4multirange)
+    sql = @db[:table].insert_sql(v)
+    sql.must_equal 'INSERT INTO "table" VALUES (int4multirange(int4range($1::int4,"en",$2)))'
+    sql.args.must_equal [1, "[]"]
   end
 
-  it "should automatically parameterize pg_range values" do
+  it "should automatically parameterize pg_range values if they are parameterizable" do
     @db.extension :pg_range
     v = Sequel.pg_range(1..2, :int4range)
     sql = @db[:table].insert_sql(v)
@@ -398,6 +407,36 @@ def copy_table_sql(ds, *) "COPY TABLE #{ds.is_a?(Sequel::Dataset) ? ds.sql : ds}
     sql = @db[:table].insert_sql(v)
     sql.must_equal 'INSERT INTO "table" VALUES ($1)'
     sql.args.must_equal ['[1,2]']
+
+    v = Sequel::Postgres::PGRange.new(1, nil, :db_type => :int4range)
+    sql = @db[:table].insert_sql(v)
+    sql.must_equal 'INSERT INTO "table" VALUES ($1::int4range)'
+    sql.args.must_equal [v]
+
+    v = Sequel::Postgres::PGRange.new(1, nil)
+    sql = @db[:table].insert_sql(v)
+    sql.must_equal 'INSERT INTO "table" VALUES ($1)'
+    sql.args.must_equal ['[1,]']
+
+    v = Sequel::Postgres::PGRange.new(nil, 2, :db_type => :int4range)
+    sql = @db[:table].insert_sql(v)
+    sql.must_equal 'INSERT INTO "table" VALUES ($1::int4range)'
+    sql.args.must_equal [v]
+
+    v = Sequel::Postgres::PGRange.new(nil, 2, :exclude_begin => true, :exclude_end => true)
+    sql = @db[:table].insert_sql(v)
+    sql.must_equal 'INSERT INTO "table" VALUES ($1)'
+    sql.args.must_equal ['(,2)']
+
+    v = Sequel::Postgres::PGRange.new(:st, 2, :db_type => :int4range)
+    sql = @db[:table].insert_sql(v)
+    sql.must_equal 'INSERT INTO "table" VALUES (int4range("st",$1::int4,$2))'
+    sql.args.must_equal [2, '[]']
+
+    v = Sequel::Postgres::PGRange.new(1, :en, :exclude_begin => true, :exclude_end=> true, :db_type => :int4range)
+    sql = @db[:table].insert_sql(v)
+    sql.must_equal 'INSERT INTO "table" VALUES (int4range($1::int4,"en",$2))'
+    sql.args.must_equal [1, '()']
   end
 
   it "should automatically parameterize pg_row values if parts are automatically parameterizable" do