v0.44.0

This release focuses on making production SQLPage apps easier to understand, debug, and operate. Most apps should keep working without SQL changes, but maintainers should review the notes about logging and uploaded-file permissions.

• Find out why a page is slow. SQLPage can now produce a timeline for every request: when the request arrived, which .sql file ran, how long it waited for a database connection, which SQL queries ran, and how long calls to sqlpage.fetch, sqlpage.run_sql, or sqlpage.exec took. This kind of request timeline is called a trace. SQLPage emits it using OpenTelemetry, the standard format understood by tools such as Grafana, Jaeger, Datadog, Honeycomb, New Relic, and others.
  • Easy start: run the ready-to-use examples/telemetry Docker Compose setup. It starts SQLPage, PostgreSQL, Grafana, Tempo, Loki, Prometheus, and an OpenTelemetry collector, so you can click through a sample app and immediately see request timelines and logs.
  • If you already have a monitoring backend: set OTEL_EXPORTER_OTLP_ENDPOINT and, optionally, OTEL_SERVICE_NAME=sqlpage.
  
• Logging is now structured and safer. LOG_LEVEL is the preferred environment variable for SQLPage log filtering. RUST_LOG still works as an alias, so existing deployments do not need an immediate change. Debug logs for OIDC and sqlpage.fetch no longer dump raw tokens, cookies, claims, or response bodies, while still keeping useful request and response metadata.
• New function: sqlpage.regex_match(pattern, text). It returns regex capture groups as JSON, or NULL when there is no match. This is especially useful in custom 404.sql files for clean dynamic routes such as /categories/sql/post/42 without creating one SQL file per possible URL.
• Uploaded files can now get explicit Unix permissions. sqlpage.persist_uploaded_file(field, folder, allowed_extensions, mode) accepts a fourth mode argument such as '644'. On Unix, uploaded files default to 600, meaning only the SQLPage process owner can read them. If you serve uploaded files directly from nginx, Caddy, or another reverse proxy, pass an appropriate mode such as '644'.
• Charts are easier to tune and more accessible. The chart component now supports show_legend to hide or show the series legend. ApexCharts was updated from 5.3.6 to 5.13.0. It brings fixes for datetime axes, annotations, data labels, legend state, tooltips, keyboard navigation, reduced-motion handling, and built-in palette contrast. SQLPage also fixes the chart toolbar menu in dark mode.
• The SQL parser was updated to sqlparser-rs 0.62.0, which is the latest published version at release time. For SQLPage users, this mainly means fewer false parse errors when using database-specific SQL. Notable additions include more PostgreSQL, MySQL, MSSQL, Snowflake, Redshift, Databricks, Spark SQL, and Teradata syntax, plus a SQLite parser panic fix for incomplete REGEXP/MATCH expressions.
• Card image galleries can avoid layout shifts. The card component now supports top_image_lazy, top_image_width, and top_image_height, so pages with many card images can load more smoothly.
• Datagrid rows can now have stable HTML anchors. The datagrid component supports a row-level id parameter, useful for links, targeted CSS, and small bits of custom JavaScript.
• OIDC login is more robust under repeated unauthenticated requests. SQLPage now caps temporary login-state cookies, avoiding the unbounded cookie growth that could happen when many protected pages were requested before authentication completed.
• HTTP error statuses are more accurate. Malformed multipart form data and invalid UTF-8 text fields now return 400 Bad Request; database connection-pool exhaustion now returns 429 Too Many Requests; invalid non-Unicode static paths now return 400 Bad Request; and paths that accidentally descend into a file now behave like normal missing resources. This should make monitoring dashboards and reverse-proxy logs easier to interpret.
• Invalid response headers no longer crash SQLPage. If a header-only page tries to return an invalid header value, SQLPage now returns a normal error response instead of crashing the request handling path.
• DuckDB :: casts are handled better. SQLPage no longer warns unnecessarily when using DuckDB-style casts.
• Database-backed filesystems fail earlier and more clearly when misconfigured. SQLPage now checks that the sqlpage_files table is available before preparing database filesystem queries, so a missing or inaccessible table produces a direct startup error.
• Dependencies and release tooling were refreshed. This includes updates to Rust, OpenTelemetry, sqlx-oldapi, frontend assets, Docker images, and GitHub Actions used by CI and release builds.

SQLPage v0.43.0 (2026-03-08)

• OIDC protected and public paths now respect the site prefix when it is defined.
• Fix: OIDC provider metadata refreshes now always happen in the background, and with a timeout. Previously, a slow OIDC provider could prevent SQLPage from handling requests for an arbitrary amount of time.
• Fix: forms without submit or reset buttons no longer keep extra bottom spacing.
• add submit and reset form button icons: validate_icon, reset_icon, reset_color
• improve error messages when sqlpage functions are used incorrectly. Include precise file reference and line number
• updated sql parser: https://github.com/apache/datafusion-sqlparser-rs/blob/main/changelog/0.61.0.md
• Add margin bottom in the big number component
• In forms without a submit button (such as auto_submit forms), remove awkward padding at the end of the form

SQLPage v0.42.0 (2025-12-28)

New features

• Better support for alternative databases
  • SQL file parsing
    • add support for some DuckDB-specific syntax (like select {'a': 1, 'b': 2}),
    • same for Oracle-specific syntax
• New docker image variant: lovasoa/sqlpage:latest-duckdb, lovasoa/sqlpage:main-duckdb, lovasoa/sqlpage:v0.42.0-duckdb with preconfigured duckdb odbc drivers. Just run the image and you have a sqlpage connected to a duckdb running. This makes it much easier to use SQLPage on existing local or remote CSV, XLSX, JSON, or Parquet files without any data conversion step.
• New config option: cache_stale_duration_ms to control the duration for which cached sql files are considered fresh.

New Functions

• sqlpage.web_root() returns the web root directory where SQLPage serves .sql files from. This is more reliable than sqlpage.current_working_directory() when you need to reference the location of your SQL files, because it takes into account the --web-root command line argument and the WEB_ROOT environment variable.
• sqlpage.configuration_directory() returns the configuration directory where SQLPage looks for sqlpage.json, templates, and migrations.

Bug fixes

• Fixed oracle-specifc bugs. The entire sqlpage test suite now runs against an oracle database after each change, guaranteeing no regression.
• The default welcome page (index.sql) now correctly displays the web root and configuration directory paths instead of showing the current working directory.
• sqlpage.variables() returned json objects with duplicate keys when post, get and set variables of the same name were present. It now always returns valid json objects without duplicate keys. The semantics of the returned values remains the same (precedence: set > post > get).
• better oidc support. Single-sign-on now works with sites:
  • using a non-default site_prefix
  • hosted behind an ssl-terminating reverse proxy
• Fixed a bug where sqlpage would sometimes redirect to the wrong url after logout, causing logout failures when using sqlpage.oidc_logout_url()

SQLPage v0.41.0 (2025-12-28)

• New Function: sqlpage.oidc_logout_url(redirect_uri) generates a secure logout URL for OIDC-authenticated users with support for RP-Initiated Logout
• Fix compatibility with Auth0 for OpenID-Connect authentification. See ramosbugs/openidconnect-rs#23
• updated sql parser: https://github.com/apache/datafusion-sqlparser-rs/blob/main/changelog/0.60.0.md
• updated apexcharts to 5.3.6:
  • apexcharts/apexcharts.js@v5.3.0...v5.3.6
  • https://github.com/apexcharts/apexcharts.js/releases/tag/v5.3.6
• re-add the lime color option to charts
• update default chart color palette; use Open Colors
  • 
• re-enable text drop shadow in chart data labels

Merry Christmas and a happy new year!

performance improvements, bug fixes, backwards incompatible variable

handling changes

• OIDC login redirects now use HTTP 303 responses so POST submissions are converted to safe GET requests before reaching the identity provider, fixing incorrect reuse of the original POST (HTTP 307) that could break standard auth flows.
• SQLPage now respects HTTP accept headers for JSON. You can now easily process the contents of any existing sql page programmatically with:
  • curl -H "Accept: application/json" http://example.com/page.sql: returns a json array
  • curl -H "Accept: application/x-ndjson" http://example.com/page.sql: returns one json object per line.
• Fixed a bug in sqlpage.link: a link with no path (link to the current page) and no url parameter now works as expected. It used to keep the existing url parameters instead of removing them. sqlpage.link('', '{}') now returns '?' instead of the empty string.
• sqlpage.fetch(null) and sqlpage.fetch_with_meta(null) now return null instead of throwing an error.
• New Function: sqlpage.set_variable(name, value)
  • Returns a URL with the specified variable set to the given value, preserving other existing variables.
  • This is a shorthand for sqlpage.link(sqlpage.path(), json_patch(sqlpage.variables('get'), json_object(name, value))).
• Variable System Improvements: URL and POST parameters are now immutable, preventing accidental modification. User-defined variables created with SET remain mutable.
  • BREAKING: $variable no longer accesses POST parameters. Use :variable instead.
    • What changed: Previously, $x would return a POST parameter value if no GET parameter named x existed.
    • Fix: Replace $x with :x when you need to access form field values.
    • Example: Change SELECT $username to SELECT :username when reading form submissions.
  • BREAKING: SET $name no longer makes GET (URL) parameters inaccessible when a URL parameter with the same name exists.
    • What changed: SET $name = 'value' would previously overwrite the URL parameter $name. Now it creates an independent SET variable that shadows the URL parameter.
    • Fix: This is generally the desired behavior. If you need to access the original URL parameter after setting a variable with the same name, extract it from the JSON returned by sqlpage.variables('get').
    • Example: If your URL is page.sql?name=john, and you do SET $name = 'modified', then:
      • $name will be 'modified' (the SET variable)
      • The original URL parameter is still preserved and accessible:
        • sqlpage.variables('get')->>'name' returns 'john'
  • New behavior: Variable lookup now follows this precedence:
    • $variable checks SET variables first, then URL parameters
    • SET variables always shadow URL/POST parameters with the same name
  • New sqlpage.variables() filters:
    • sqlpage.variables('get') returns only URL parameters as JSON
    • sqlpage.variables('post') returns only POST parameters as JSON
    • sqlpage.variables('set') returns only user-defined SET variables as JSON
    • sqlpage.variables() returns all variables merged together, with SET variables taking precedence
  • Deprecation warnings: Using $var when both a URL parameter and POST parameter exist with the same name now shows a warning. In a future version, you'll need to explicitly choose between $var (URL) and :var (POST).
• Improved performance of sqlpage.run_sql.
  • On a simple test that just runs 4 run_sql calls, the new version is about 2.7x faster (15,708 req/s vs 5,782 req/s) with lower latency (0.637 ms vs 1.730 ms per request).
• add support for postgres range types

SQLPage v0.39.1 released !

• More precise server timing tracking to debug performance issues
• Fix missing server timing header in some cases
• Implement nice error messages for some header-related errors such as invalid header values.
• compress_responses is now set to false by default in the configuration.
  • When response compression is enabled, additional buffering is needed. Users reported a better experience with pages that load more progressively, reducing the time before the pages' shell is rendered.
  • When SQLPage is deployed behind a reverse proxy, compressing responses between sqlpage and the proxy is wasteful.
• In the table component, allow simple objects in custom_actions instead of requiring arrays of objects.
• Fatser icon loading. Previously, even a page containing a single icon required downloading and parsing a ~2MB file. This resulted in a delay where pages initially appeared with a blank space before icons appeared. Icons are now inlined inside pages and appear instantaneously.
• Updated tabler icons to 3.35
• Fix inaccurate ODBC warnings
• Added support for Microsoft SQL Server named instances: mssql://user:pass@localhost/db?instance_name=xxx
• Added a detailed performance guide to the docs.

SQLPage v0.39.0

• Added support for executing SQL for URL paths with additional extensions.
  For example, creating sitemap.xml.sql will execute the SQL file when visiting example.com/sitemap.xml.

• Error messages now display source line information even when the database does not return a precise error position. In such cases, the entire problematic SQL statement is referenced.

  • 

• The shell with a vertical sidebar now supports active elements, similar to the horizontal header bar.

  • 

• Added new properties (edit_url, delete_url, and custom_actions) to the table component, making it easy to add icon buttons for editing, deleting, or performing custom actions. Thank you, @Phoenix79-spec for implementing this !

  • 

• SQLPage now sets the Server-Timing header in development mode. This allows you to identify performance bottlenecks by opening your browser’s network inspector, selecting a slow request, and viewing the Timing tab.

  • 

• Fixed a memory corruption issue leading to crashes in the built-in ODBC driver manager.

• ODBC: Fixed support for using globally installed system drivers by name on Debian-based Linux distributions. This means you can reference drivers by their name instead of having to provide the full path to the driver's .so file on these distributions.

• Added a new login component to create visually appealing login forms easily. Many thanks to @olivierauverlot for his contribution !

  • 

SQLPage v0.38 released !

Main change: SQLPage now works with almost all database management systems, thanks to ODBC. You can now build a SQLPage interface for your cloud databases like Snowflake and BigQuery, for flat files using DuckDB, for multiple heterogeneous data sources with Trino, and more.

Also: new sqlpage.hmac() function (useful when creating webhooks in SQLPage), some speed optimizations, and bug fixes.

Release Notes

🗄️ ODBC Support: Connect to Even More Databases

SQLPage now supports the Open Database Connectivity (ODBC) standard, expanding compatibility to a wide range of databases:

• ClickHouse
• MongoDB (via SQL interface)
• DuckDB, and through it many other data sources
• Oracle
• Snowflake
• BigQuery
• IBM DB2
• Trino, and through it many other data sources

You can now connect SQLPage to almost any major database or analytical system.
When using SQLPage with analytical databases, keep in mind that they usually have a higher per-query overhead. To maintain good performance and fast page loads, structure your SQL to run fewer, broader queries instead of several tiny ones.

🔑 New sqlpage.hmac() Function

A new built-in function for secure HMAC (Hash-based Message Authentication Code) operations.

Use it to:

• Create and verify secure webhook signatures (Shopify, Stripe, GitHub, etc.)
• Generate tamper-proof API tokens or temporary access codes

Features: supports SHA-256 and SHA-512, with hex (default) or base64 encoding.

⚡ Local Execution for Literal Assignments

Setting a variable to a literal (e.g., SET x = 'hello') is now executed locally by SQLPage instead of hitting the database.
This removes unnecessary database roundtrips and makes static variable extraction cost-free. This should incentivize you to write cleaner queries and decompose your code to use more variables.

🔢 Arbitrary Precision for Numeric Values

SQLPage now uses arbitrary-precision numbers internally for numeric values returned by the database.
This eliminates rounding or truncation issues with very large or very small DECIMAL / NUMERIC fields from your database.

🧩 UI Polish: List Component Spacing Fix

Fixed a minor spacing issue in list components when displaying empty values.
The layout now remains consistent regardless of missing or null fields.

SQLPage v0.38.0 Beta Released

This is a beta release — please report bugs on GitHub if you encounter anything unexpected.

New Features

ODBC Support

SQLPage now supports the Open Database Connectivity (ODBC) standard. This feature makes SQLPage compatible with many enterprise and cloud data systems, dramatically expanding the range of possible integrations.

You can now use SQLPage with ClickHouse, MongoDB (via Atlas Data Federation), DuckDB (and its connected data sources), Oracle, Snowflake, BigQuery, IBM DB2, Trino (including its connectors) and many more.

sqlpage.hmac() Function

A new function, sqlpage.hmac(), provides cryptographic HMAC (Hash-based Message Authentication Code) operations for signing and verifying data. Useful for integrating with other systems such as Stripe and Shopify to process payments from your SQLPage website.

This is a beta version. If you experience any issues, please open a bug report

SQLPage v0.37.1 released !

This is a small bugfix release: fixes for UUID decoding, NULL handling in sqlpage.link, OIDC login loops, submenu clicks, and several SQL parser improvements.

Release Notes

🐛 Bug Fixes

• Fixed decoding of UUID values.

• Fixed handling of NULL values in sqlpage.link:

  • Previously encoded as 'null' (string).
  • Now omitted correctly from query parameters.

• Fixed a bug in OIDC login flows:

  • When two tabs started login simultaneously, an infinite redirect loop could occur.
  • Most common when mobile browsers restored multiple inactive tabs.

🖱️ Submenu Handling in Shell

• Submenus now auto-close on click.
• This avoids a regression introduced in v0.36.0 where clicking anywhere after submenu navigation scrolled the page back to the top.
• Temporary fix — a proper solution is planned for the next release.
• See issue #1011 for details.

🎨 Better Visual Errors

• Adopted the new styled error pages (introduced in v0.37.1) for:

  • 403 Forbidden
  • 429 Too Many Requests

📜 SQL Parser Improvements

• Improved compatibility with advanced queries:

  • MERGE queries inside CTEs.
  • MERGE queries with RETURNING clauses.

• Based on upstream changes in datafusion-sqlparser-rs 0.59.0.