#25705: Parameters are not adapted or quoted in Query.__str__
-------------------------------------+-------------------------------------
Reporter: Dmitry Dygalo | Owner: Alex
Type: | Status: assigned
Cleanup/optimization |
Component: Database layer | Version: dev
(models, ORM) |
Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted
Has patch: 1 | Needs documentation: 0
Needs tests: 1 | Patch needs improvement: 1
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
Comment (by Alex):
Replying to [comment:13 Simon Charette]:
> My concerns with fixing this issue related to comments such as comment:5
>
> > It seems to me an experience Django coder could fix this in minutes
and that there should be a regression test for this kind of code:
> >
> > {{{
> > qs=model.objects.somequeryset
> > sql=str(qs.query)
> > raw_qs=model.objects.raw(sql)
> > }}}
>
> We absolutely don't want to support this pattern in a context where we
can't guarantee that the proper quoting is performed on all supported
backends as that might result in SQL injection problems. In this sense I
think that it's a good thing that `sql.Query.__str__` doesn't attempt to
perform the proper quoting to make it clear it should not be used for this
purpose.
I'm not sure I understand your point. I think the original commenter was
suggesting that just as a simple way to do the test. I wouldn't consider
someone doing `str(qs.query)` to then pass in to `raw()` a real use case
that anyone would do.
Personally, the use case I've had with this issue is printing the query to
then try to format it and maybe execute it in a sql editor connected that
my database while testing stuff in local. For that case your suggestion of
sql_with_params wouldn't cover it. I'm not against having that method
either, but I don't see it as a replacement of a correct`str(qs.query)`.
Also my recommended choice was not trying to emulate parameter quoting,
but to use the database library `mogrify` method in 3 of the 5 supported
backends.
--
Ticket URL: <https://code.djangoproject.com/ticket/25705#comment:15>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
--
You received this message because you are subscribed to the Google Groups
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/django-updates/01070190b55d66a8-41453bff-eaab-4c89-97f5-32b9b6082dff-000000%40eu-central-1.amazonses.com.
