#25705: Parameters are not adapted or quoted in Query.__str__
-------------------------------------+-------------------------------------
Reporter: Dmitry Dygalo | Owner: Alex
Type: | Status: assigned
Cleanup/optimization |
Component: Database layer | Version: dev
(models, ORM) |
Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted
Has patch: 1 | Needs documentation: 0
Needs tests: 1 | Patch needs improvement: 1
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
Comment (by Mariusz Felisiak):
Replying to [comment:19 Carlton Gibson]:
> FWIW I’ve wanted sql_with_params() to be public for ''other reasons'',
so I’d be keen there is there are no blockers
I don't mind documenting `sql_with_params()`, but would like to avoid
encouraging users to use raw SQL queries. Also, `sql_with_params()` is not
a panacea, it has it's limitation e.g. it always uses the default database
connection. For most users it may be tricky to include parameters into an
SQL string which can lead to SQL injection vectors. IMO,
`sql_with_params()` is only for advanced users, who know the risks.
--
Ticket URL: <https://code.djangoproject.com/ticket/25705#comment:20>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
--
You received this message because you are subscribed to the Google Groups
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/django-updates/01070190c469d9e1-c47727dc-168f-4ace-b93b-e4d85565419c-000000%40eu-central-1.amazonses.com.
