v0.26.0

SQLPage v0.26 🚀

SQLPage makes it easy to build data applications entirely in SQL.
This release enhances customization and usability with new features like custom layouts, improved Datagrid displays, and better handling of empty Tables. Bug fixes in Form and Shell components and new HTML attributes improve overall performance. Security and compatibility updates were made too.

Come and build a rich data-driven applications effortlessly with sqlpage!

Also in the news: SQLPage just passed 1000 stars on github. Star us too 🌟 !

Components

Card

New width attribute in the card component to set the width of the card. This finally allows you to create custom layouts, by combining the embed and width attributes of the card component! This also updates the default layout of the card component: when columns is not set, there is now a default of 4 columns instead of 5.

Datagrid

fix datagrid color pills display when they contain long text.

Table

Fixed a bug that could cause issues with other components when a table was empty.
Improved handling of empty tables. Added a new empty_description attribute, which defaults to No data. This allows you to display a custom message when a table is empty.

Form

• Fixed a bug where a form input with a value of 0 would diplay as empty instead of showing the 0.
• Reduced the margin at the botton of forms to fix the appearance of forms that are validated by a button component declared separately from the form.

Shell

Fixed ugly wrapping of items in the header when the page title is long. We now have a nice text ellipsis (...) when the title is too long.

Fixed the link to the website title in the shell component.

Allow loading javascript ESM modules in the shell component with the new javascript_module property.

html

Added text and post_html properties to the html component. This allows to include sanitized user-generated content in the middle of custom HTML.

select 
    'html' as component;
select 
    '<b>Username</b>: <mark>' as html,
    'username that will be safely escaped: <"& ' as text,
    '</mark>' as post_html;

Other

• allow customizing the Content-Security-Policy in the configuration.
• the new default content security policy is both more secure and easier to use. You can now include inline javascript in your custom components with <script nonce="{{@csp_nonce}}">...</script>.
• update to sqlparser v0.49.0
  • support WITH ORDINALITY in postgres FROM clauses
• update to handlebars-rs v6
• fix the "started successfully" message being displayed before the error message when the server failed to start.
• add support for using the system's native SSL Certificate Authority (CA) store in sqlpage.fetch. See the new system_root_ca_certificates configuration option.

v0.25.0

This update introduces several enhancements and fixes.

• The hero component now supports reversing the order of text and images, allowing more flexibility in design.
• The datagrid component has been optimized for mobile displays by reducing the maximum item width.
• Additionally, a new html component has been added for displaying raw HTML content, aimed at advanced users with a caution on potential security risks.
• Error messages in the dynamic component and syntax errors have been improved for better clarity and troubleshooting.
• The update also includes the addition of 54 new icons and the latest version of apexcharts.js for enhanced visual elements.

Several bug fixes have been implemented, such as

• correct display of points with a latitude of 0 on the map component and
• consistent behavior of the lower() function in SQLite.
• along with better truncation of long page titles

The update enhances SQL capabilities

• adding the ability to use arbitrary SQL expressions as arguments to SQLPage functions in most cases
• supporting custom operators in postgres
• The new sqlpage.link function simplifies creating links with parameters between pages, ensuring proper encoding of special characters.
• Lastly, the update includes a new parameter in the run_sql function to pass variables to SQL files, promoting modular and reusable SQL code.

-- Example using sqlpage.link to create links with parameters
SELECT 'list' AS component;
SELECT
  product_name AS title,
  sqlpage.link('product.sql', json_object('product', product_name)) AS link
FROM products;

-- Before, you would manually build links like this:
-- CONCAT('/product.sql?product=', product_name)
-- but that would fail if product_name contained special characters like '&' or '%'

-- Example using run_sql with variables
-- The SQL file display_product.sql can be modular and reusable
-- It can accept parameters passed through json_object
-- This allows for dynamic and flexible SQL execution

SELECT 'dynamic' AS component, 
       sqlpage.run_sql('display_product.sql', json_object('product_id', product_id)) AS properties 
FROM products;

detailed notes: https://github.com/lovasoa/SQLpage/blob/main/CHANGELOG.md#0250-2024-07-13

v0.24.0

🚀 SQLPage just got a major upgrade!

Forms, maps, menus, performance, bug fixes

🗺️ The form and map components are way more powerful now. A limitation over the number of options in multi-select fields was removed, and maps are smarter about centering and allow removing the base map completely. The shell component got a nice boost too, making it a breeze to create complex menus and use custom fonts, adding icons, or fixing the top menu when scrolling in the page.
💻 Performance-wise, things are looking up. Pages load faster, and SQLite's been bumped to the latest version. Oh, and there's a bunch of new tricks for buttons, lists, and cards - like compact modes and background colors. Plus, we squashed some pesky bugs and threw in a default favicon to keep those logs clean. 🐞🔨

Check out the full list of changes and how to use them in your applications

v0.23.0

SQLPage v0.23: Improved Performance, Enhanced Components, and Bug Fixes

• 🔁 Connection Reuse: The sqlpage.run_sql function now reuses existing database connections for the current query. This enhancement allows for creating temporary tables, spanning SQL transactions over multiple run_sql calls, and generally makes run_sql more performant.

• 🗃️ Empty Uploaded Files Fix: Optional file upload fields that are left empty will no longer be accessible to SQLPage file-related functions like sqlpage.uploaded_file_path and sqlpage.uploaded_file_mime_type. These functions will now return NULL if no file is uploaded. Similarly, sqlpage.persist_uploaded_file will not create an empty file but will return NULL if no file is uploaded.

• 🖱️ Button Component Updates:

  • A new tooltip property has been added to the button component.
    • 
      Sure, here’s the revised point with a bit more detail for the target and rel properties:
  • The button component now supports:
    • download: makes the button download a file when clicked,
    • target: specifies where to open the linked document (e.g., in a new tab or window),
    • rel: defines the relationship between the current document and the linked document, and can also prevent search engines from following the link.
    • 

• 📋 CSV Component Fix: The separator parameter in the CSV component now functions correctly, enabling the creation of Excel-compatible CSVs in regions where ; is the expected separator.

  • 

• 🔍 Shell Component Update: A new search_value property has been added.

  • 

• 📏 Hero Component Text Fix: Long button text in the hero component now renders on multiple lines when the viewport is narrow.

  • 

• 🍪 Cookie Component Bug Fix: Fixed an issue where removing a cookie from a subdirectory was not working. See #361.

• 🛠️ SQL Parser Update: The SQL parser has been updated to fix support for AT TIME ZONE in PostgreSQL and GROUP_CONCAT() in MySQL.

• ⚠️ Form Field Warning: A new warning message is logged when attempting to use SET $x = if there is already a form field named x.

• 🗺️ Map Component Centering: The map component now centers on its markers if latitude and longitude properties are omitted. This makes it easier to create zoomed maps with a single marker. See issue.

  • 

• ⏲️ Fetch Timeout Option: The sqlpage.fetch function now includes a timeout option for requests, useful for handling slow or unreliable APIs and large payloads.

• 🎥 Hero Component Video Properties: The hero component now supports poster, loop, muted, and nocontrols properties for videos.

• 🌐 Icon Bug Fix: Fixed an issue where icons would disappear when serving a SQLPage website from a subdirectory using the site_prefix configuration option.

v0.22.0

• Important Security Fix: The behavior of SET $x has been modified to match SELECT $x.
  • Security Risk: Previously, SET $x could be overwritten by a POST parameter named x.
  • Solution: Upgrade to SQLPage v0.22. If not possible, then update your application to use SET :x instead of SET $x.
  • For more information, see GitHub Issue #342.
• Deprecation Notice: Reading POST variables using $x.
  • New Standard: Use :x for POST variables and $x for GET variables.
  • Current Release Warning: Using $x for POST variables will display a console warning:

    Deprecation warning! $x was used to reference a form field value (a POST variable) instead of a URL parameter. This will stop working soon. Please use :x instead.
    

  • Future Change: $x will evaluate to NULL if no GET variable named x is present, regardless of any POST variables.
  • Detection and Update: Use provided warnings to find and update deprecated usages in your code.
  • Reminder about GET and POST Variables:
    • GET Variables: Parameters included in the URL of an HTTP GET request, used to retrieve data. Example: https://example.com/page?x=value, where x is a GET variable.
    • POST Variables: Parameters included in the body of an HTTP POST request, used for form submissions. Example: the value entered by the user in a form field named x.
• Two backward-incompatible changes in the chart component's timeseries plotting feature (actioned with TRUE as time):
  • when providing a number for the x value (time), it is now interpreted as a unix timestamp, in seconds (number of seconds since 1970-01-01 00:00:00 UTC). It used to be interpreted as milliseconds. If you were using the TRUE as time syntax with integer values, you will need to divide your time values by 1000 to get the same result as before.
    • This change makes it easier to work with time series plots, as most databases return timestamps in seconds. For instance, in SQLite, you can store timestamps as integers with the unixepoch() function, and plot them directly in SQLPage.
  • when providing an ISO datetime string for the x value (time), without an explicit timezone, it is now interpreted and displayed in the local timezone of the user. It used to be interpreted as a local time, but displayed in UTC, which was confusing. If you were using the TRUE as time syntax with naive datetime strings (without timezone information), you will need to convert your datetime strings to UTC on the database side if you want to keep the same behavior as before. As a side note, it is always recommended to store and query datetime strings with timezone information in the database, to avoid ambiguity.
    • This change is particularly useful in SQLite, which generates naive datetime strings by default. You should still store and query datetimes as unix timestamps when possible, to avoid ambiguity and reduce storage size.
• When calling a file with sqlpage.run_sql, the target file now has access to uploaded files.
• New article by Matthew Larkin about migrations.
• Add a row-level id attribute to the button component.
• Static assets (js, css, svg) needed to build SQLPage are now cached individually, and can be downloaded separately from the build process. This makes it easier to build SQLPage without internet access. If you use pre-built SQLPage binaries, this change does not affect you.
• New icon_after row-level property in the button component to display an icon on the right of a button (after the text). Contributed by @amrutadotorg.
• New demo example: dark theme. Contributed by @lyderic.
• Add the ability to bind to a unix socket instead of a TCP port for better performance on linux. Contributed by @vlasky.

v0.21.0

• sqlpage.hash_password(NULL) now returns NULL instead of throwing an error. This behavior was changed unintentionally in 0.20.5 and could have broken existing SQLPage websites.

• The dynamic component now supports multiple properties attributes. The following is now possible:

  select 'dynamic' as component,
         '{ "component": "card", "title": "Hello" }' as properties,
         '{ "title": "World" }' as properties;

• Casting values from one type to another using the :: operator is only supported by PostgreSQL. SQLPage versions before 0.20.5 would silently convert all casts to the CAST(... AS ...) syntax, which is supported by all databases. Since 0.20.5, SQLPage started to respect the original :: syntax, and pass it as-is to the database. This broke existing SQLPage websites that used the :: syntax with databases other than PostgreSQL. For backward compatibility, this version of SQLPage re-establishes the previous behavior, converts :: casts on non-PostgreSQL databases to the CAST(... AS ...) syntax, but will display a warning in the logs.

  • In short, if you saw an error like Error: unrecognized token ":" after upgrading to 0.20.5, this version should fix it.

• The dynamic component now properly displays error messages when its properties are invalid. There used to be a bug where errors would be silently ignored, making it hard to debug invalid dynamic components.

• New sqlpage.request_method function to get the HTTP method used to access the current page. This is useful to create pages that behave differently depending on whether they are accessed with a GET request (to display a form, for instance) or a POST request (to process the form).

• include the trailing semicolon as a part of the SQL statement sent to the database. This doesn't change anything in most databases, but Microsoft SQL Server requires a trailing semicolon after certain statements, such as MERGE. Fixes issue #318

• New readonly and disabled attributes in the form component to make form fields read-only or disabled. This is useful to prevent the user from changing some fields.

• 36 new icons (tabler icons 3.4)

• Bug fixes in charts (apexcharts.js v3.49.1)

v0.20.5

SQLPage 0.20.5 : beautiful forms, secure connections, and helpful error messages

SQLPage is a tool to build web apps entirely in SQL. This new version brings visual and usability improvements to searchable form fields, connections to remote databases that require a client-side certificate, and it helps you fix your mistakes better than ever before thanks to more thoughtful error messages.

0.20.5 (2024-05-07)

🔍 Searchable multi-valued selects in the form component

• Fix missing visual indication of selected item in form dropdown fields.
  • 
• fix autofocus on select fields with dropdown
• add searchable as an alias for dropdown in the form component

🔒 Added support for SSL client certificates in MySQL and Postgres

• SSL client certificates are commonly used to secure connections to databases in cloud environments. They allow mutual authentication of the database and the application. To connect to a database that requires a client certificate, you can now use the ssl_cert and ssl_key connection options in the connection string. For example: postgres://user@host/db?ssl_cert=/path/to/client-cert.pem&ssl_key=/path/to/client-key.pem

🤖 The SQLPage function system was greatly improved

• All the functions can now be freely combined and nested, without any limitation. No more Expected a literal single quoted string. errors when trying to nest functions.
• 🛑 The error messages when a function call is invalid were rewritten, to include more context, and provide suggestions on how to fix the error. This should make it easier get started with SQLPage functions.
  Error messages should always be clear and actionnable. If you encounter an error message you don't understand, please open an issue on the SQLPage repository.
• Adding new functions is now easier, and the code is more maintainable. This should make it easier to contribute new functions to SQLPage. If you have an idea for a new function, feel free to open an issue or a pull request on the SQLPage repository. All sqlpage functions are defined in functions.rs.

🤓 For the pros

• 🫗 The shell-empty component (used to create pages without a shell) now supports the html attribute, to directly set the raw contents of the page. This is useful to advanced users who want to generate the page content directly in SQL, without using the SQLPage components.
• 🔌 Better compatibility with some advanced SQL features: Updated sqlparser to v0.46
  • The changes include support for DECLARE parsing and CONVERT styles in MSSQL, improved JSON access parsing and ?-based jsonb operators in Postgres, and ALTER TABLE ... MODIFY support for MySQL.

v0.20.4

SQLPage is an open-source low-code web application server. It lets you create full websites by writing only simple database queries.

This is a small improvement release on top of the larger v0.20.3 update.

• Improvements to the new sqlpage.fetch function:
  • Set a default user-agent header when none is specified (User-Agent: sqlpage).
  • bundle root certificates with sqlpage so that we can always access HTTPS URLs even on outdated or stripped-down systems.
  • update our https library to the latest version everywhere, to avoid having to bundle two distinct versions of it.

v0.20.3

• New dropdown row-level property in the form component
  • 
  • 
• Adds a new sqlpage.fetch function that allows sending http requests from SQLPage. This is useful to query external APIs. This avoids having to resort to sqlpage.exec.
  • 
• Fixed a bug that occured when using both HTTP and HTTPS in the same SQLPage instance. SQLPage tried to bind to the same (HTTP)
  port twice instead of binding to the HTTPS port. This is now fixed, and SQLPage can now be used with both a non-443 port and
  an https_domain set in the configuration file.
• Updated sqlparser
  • adds support for named windows in window functions
• New icons with tabler icons 3.2: https://tabler.io/icons/changelog
• Optimize queries like select 'xxx' as component, sqlpage.some_function(...) as parameter
  to avoid making an unneeded database query.
  This is especially important for the performance of sqlpage.run_sql and the dynamic component.

v0.20.2

• the default component, used when no select '...' as component is present, is now table. It used to be the debug component instead. table makes it extremely easy to display the results of any SQL query in a readable manner. Just write any query in a .sql file open it in your browser, and you will see the results displayed in a table, without having to use any SQLPage-specific column names or attributes.
• Better error messages when a custom component contains a syntax error. Fix contributed upstream
• Lift a limitation on sqlpage function nesting. In previous versions, some sqlpage functions could not be used inside other sqlpage functions. For instance, sqlpage.url_encode(sqlpage.exec('my_program')) used to throw an error saying Nested exec() function not allowed. This limitation is now lifted, and you can nest any sqlpage function inside any other sqlpage function.
• Allow string concatenation inside sqlpage function parameters. For instance, sqlpage.exec('echo', 'Hello ' || $name) is now supported, whereas it used to throw an error saying exec('echo', 'Hello ' || $name) is not a valid call. Only variables (such as $my_variable) and sqlpage function calls (such as sqlpage.header('my_header')) are supported as arguments to sqlpage functions..
• Bump the minimal supported rust version to 1.77 (this is what allows us to easily handle nested sqlpage functions). Now all releases for all operating systems are compiled with the latest rust version.