I've seen recommendations to use this during conference talks by people
with a fairly deep knowledge of the ORM as recently as 2019, so I do
believe it can be made more blatantly clear in its purpose. We took a stab
at improving it during DjangoCon 2019. Consensus was that:
(a) when the underlying DB driver provides a method of constructing the
query, a la PostgreSQL's `mogrify`, we can use it;
(b) when the underlying DB driver does NOT provide a method, we can make it
obvious not to use it for more than debugging. IIRC, Tim Graham suggested
we construct the string to be something like, """SQL: SELECT ... FROM ...
WHERE x = ? AND y = ? PARAMS: ("this", "that")""" to provide the relevant
information, but make it very obvious you can't copy pasta it into a SQL
command line tool.
Here's the PR we were working on, which also contains some good discussion
and background in addition to Claude's PR:
https://github.com/django/django/pull/10568
...but ultimately, we decided Claude's approach linked by Mariusz above was
better. I'd love to see this cross the finish line one of these days; my
burning use case was eventually solved when `queryset.explain()` was
introduced in Django 2.1.
On Friday, September 11, 2020 at 10:16:22 AM UTC-4 fran.h...@gmail.com
wrote:
> Just my $.02, literally yesterday I saw a str(queryset.query) used to
> construct a raw SQL query. It of course suffers from the worst kind of SQL
> injection as well.
>
> +1 to make it obvious, somehow, that kittens die every time it is used for
> a real query.
>
>
>
> On 11 Sep 2020, at 15:58, Alexander Lyabah <a.ly...@checkio.org> wrote:
>
> I'm sorry. Now things sound even more confusing for me.
>
>
> From one side you've said that "No, this function is never working in a
> useful way." (but my example from the post shows, how it works in the
> beginning and then stops working for datatime, which means it was pretty
> much useful for some very common cases)
>
> From another side, you have accepted tickets, to make this function works
> in a useful way.
>
> So it very looks like you've made a function, that returns something, that
> very looks like SQL, but shouldn't be used as SQL, it is just for debug,
> and you have a bunch of tickets to make SQL-like debug text to be working
> as real SQL.
>
> So, my humble suggestion here is very simple. If you don't want something
> to be used in an appropriate way, don't make it looks like it can be used
> this way.
>
>
>
> On Thursday, September 10, 2020 at 1:40:33 PM UTC+3 f.apo...@gmail.com
> wrote:
>
>> On Thursday, September 10, 2020 at 11:16:56 AM UTC+2 Alexander Lyabah
>> wrote:
>>
>>> The problem with the function is that it is actually working, but not
>>> always, and because of that, other people are suggesting it on
>>> StackOverflow, using it in prod, and may, eventually catch weird
>>> exceptions, which leads to a bad experience with Django in general.
>>>
>>
>> No, this function is never working in a useful way. It does client side
>> interpolation of query params which should be done by the drivers instead,
>> even when it works it is potentially dangerous. The actual problem is that
>> people on StackOverflow recommend to use it. FWIW Since it is solely a
>> debugging aid I'd actually break any usage of it by adding "--" to the
>> start of it (or similar)
>>
>>
> --
>
> You received this message because you are subscribed to the Google Groups
> "Django developers (Contributions to Django itself)" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to django-develop...@googlegroups.com.
>
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/django-developers/487cadce-51db-418f-aca4-ebe14aa16bb9n%40googlegroups.com
>
> <https://groups.google.com/d/msgid/django-developers/487cadce-51db-418f-aca4-ebe14aa16bb9n%40googlegroups.com?utm_medium=email&utm_source=footer>
> .
>
>
--
You received this message because you are subscribed to the Google Groups
"Django developers (Contributions to Django itself)" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to django-developers+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/django-developers/81ed71d5-f83e-4e36-8cb9-f718dd33515en%40googlegroups.com.
